CN101582769B - Authority setting method of user access network and equipment - Google Patents
Authority setting method of user access network and equipment Download PDFInfo
- Publication number
- CN101582769B CN101582769B CN2009101487926A CN200910148792A CN101582769B CN 101582769 B CN101582769 B CN 101582769B CN 2009101487926 A CN2009101487926 A CN 2009101487926A CN 200910148792 A CN200910148792 A CN 200910148792A CN 101582769 B CN101582769 B CN 101582769B
- Authority
- CN
- China
- Prior art keywords
- network
- user
- network insertion
- user account
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
- H04W12/64—Location-dependent; Proximity-dependent using geofenced areas
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/021—Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an authority setting method of a user access network and equipment, which are applied to a network system comprising a network authentication server and a plurality of network access areas. The network authentication server stores access authority information of at least one user name in the plurality of network access areas respectively; when a user request is accessed, the user name and the position recognition information of the current network access area are provided, the corresponding resource access authority is obtained and network access is carried out. The invention realizes access authority allocation based on the actual access position of the user, can avoid that the access authority can not be controlled due to change of the access area, can adopt uniform access authority control for unfixed staff in all access areas, and adopts a single account number mode to access, thus providing convenience for use of users, improving network security of the network and simultaneously user experience.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of authority setting method of user access network and equipment.
Background technology
Along with constantly popularizing and development of network application, network security becomes the problem that each enterprise very payes attention to gradually.Wherein, how the user being carried out access control is vital problem, and allowing legal users to use network and it is carried out correct authentication, authorizes is the basic demand of the user being carried out network insertion control.Far-end is dialled in the service for checking credentials, and (Remote Access Dial In user Services, RADIUS) agreement is the standard agreement that the Control Network user inserts, based on client/server (Client/Server, C/S) pattern.The user must be earlier before the access network through authentication, (AuthenticationAuthorization Accounting, the AAA) authentication of server, assurance have only the validated user ability accesses network through authentication to authorize chargings.
On the basis of network ID authentication, (Network Admission Control, the NAC) proposition of technical scheme have proposed more strict safety requirements to the user terminal of access network in the network access control.Network access control scheme is an integrated scheme, and its basic element of character comprises third party's servers such as security client, safety interaction equipment, Security Policy Server and antivirus server, patch server.Each performs its own functions for each parts in the scheme, by the coordination of security strategy center and each functional part of integration, accomplishes security state evaluation, the isolation to the network insertion terminal jointly and repair the whole defence capability of lifting network.
Personal computer (Personal Computer; PC) desktop computer and pocket computer and other equipment that can carry out network insertion are referred to as the terminal; The client software of network access control application system all operates on each terminal; Network access control scheme requires carry out the safety certification at terminal through the user of authentication; Security strategy according to network manager customization is carried out safety inspection, and for example: virus base is the black and white lists, USB flash disk peripheral hardware operating position or the like of new situation, system mend installation situation, software more.According to the result of inspection, network access control scheme is authorized the user network access and is controlled.Through safety certification, the user can normally use network, and meanwhile, network access control scheme can be audited and monitors user terminal ruuning situation and network operating position.
As shown in Figure 1, be the typical networking diagram of the technical scheme of a user access network.
Enterprise when introducing network insertion control technology scheme, often in each mechanism, department according to relevant information security policy making different security control strategy etc.But, often exist network access authentication and control of authority problem to " roamer " (network access user moves to another position from a position, still can normally use network promptly to roam) along with the trans-departmental running development collaborative with office.
As shown in Figure 2, enterprise is owing to function is divided into different administrative regions, and each administrative region disposes the various network safety control strategy because of the needs of information security.In real work, often there is trans-departmental work exchange problem, for example among Fig. 2, certain employee of market department carries notebook computer and carries out work exchange to research and development department, then possibly have following problem:
Can't insert research and development department's network (the connecting system unauthorized inserts the research and development zone) if 1 this employee uses it to insert user name, then this employee can't use current Internet resources;
If 2 these employees can insert the research and development zone, and use the set network security control strategy in research and development district, the resource in addressable research and development zone then possibly cause the research and development leakage of information.
For solving roamer's access problem, enterprise often adopts the mode of " multiuser, multiple domain name " to distinguish the user and roams into the different zones of inserting.The user uses different user name or domain names to carry out network access authentication in different access zones, and the authentication access server is discerned the different security control strategy and authorized the user different access rights according to user name, domain name.For example " ABC " is the user name of access market portion network, and " ABCresearch " (user name+domain name mode) is to insert the user name of research and development district network, and " ABC.bj " is the user name that inserts Beijing office.This user roams into different zones at every turn and all uses different user's access accounts to carry out network access authentication like this.
In realizing process of the present invention, the applicant finds that there is following problem at least in prior art:
1, the roamer need remember various access account, is linked into the switch operating that access account all will be carried out in different zones at every turn;
2, do not dispose access account and authority if the roamer inserts the zone at certain, need request webmaster personnel to distribute access account and access rights for it;
3, configuration of a large amount of Account Administration and access rights are distributed to the webmaster personnel and are brought the work that repeats in a large number;
4, can't the life cycle of account number be control effectively, for example certain labor turnover, though the account number of its department is also nullified simultaneously, its roaming account number still exists in the system, brings back door hidden danger to enterprise network;
5, each administrative region shortage is carried out unified management to roamer's secure access authority, unavoidable difference because of the configuration of secure access authority, and cause the addressable undelegated Internet resources of some roamer.
Summary of the invention
The present invention provides a kind of authority setting method and equipment of user access network, makes the user carry out network authentication through single account number and inserts, and can distribute the corresponding network access authority according to this user's on-position.
For achieving the above object; One aspect of the present invention provides a kind of authority setting method of user access network, is applied to comprise in the network system in network authentication server and a plurality of network insertion zone, wherein; Each said network insertion zone comprises an access device and at least one user terminal respectively; Set up at least one user account in the said network system, the corresponding user name of said user account, said method comprises:
Said network authentication server is respectively each said network insertion zone and sets up at least a resource access authority;
Said network authentication server is provided with said user account pairing resource access authority in each said network insertion zone respectively;
The correspondence relationship information of the position identification information in resource access authority and the said network insertion zone of the user name that said network authentication server is preserved said user account in each network insertion zone;
When user account request access resources; Said network authentication server receives the user account information of access device forwarding and the position identification information of said access device self, and confirms said user account pairing resource access authority in the pairing network insertion of said position identification information zone;
Wherein, said network insertion zone is specially the network area of said user account request visit.
Preferably, the position identification information in said network insertion zone is specially:
The IP address of the access device in said network insertion zone; Or,
The IP address of the user terminal in the said network insertion zone.
Preferably, if the position identification information in said network insertion zone is specially the IP address of the user terminal in the said network insertion zone, said method also comprises:
Said a plurality of network insertions zone is corresponding a plurality of IP address sections respectively;
The IP address of included user terminal is in the said network insertion area relative IP address section in the said network insertion zone.
Preferably; When user account request access resources; Said network authentication server receives the user account information of access device forwarding and the position identification information of said access device self; And confirm said user account pairing resource access authority in the pairing network insertion of said position identification information zone, specifically comprise:
Said network authentication server receives the authentication request message of the position identification information in the user name that comprises said user account, password and said user account present located network insertion zone that said access device sends;
Said network authentication server carries out authentication to the matching relationship of the username and password of said user account, and obtains user name pairing resource access authority in the pairing network insertion of the position identification information zone in said network insertion zone of said user account.
Preferably, said method also comprises:
If the matching relationship to the username and password of said user account carries out authentication success, the authenticate-acknowledge information that said network authentication server sends said user account to said access device is said user account Resources allocation access rights;
If the matching relationship to the username and password of said user account carries out authentification failure; Or said network authentication server obtains user name pairing resource access authority failure in the pairing network insertion of the position identification information zone in said network insertion zone of said user account; Said network authentication server sends authentification failure message to said access device, refuses said user account and carries out resource access.
On the other hand; The present invention also provides a kind of network authentication server, is applied to comprise in the network system in network authentication server and a plurality of network insertion zone, wherein; Each said network insertion zone comprises an access device and at least one user terminal respectively; Set up at least one user account in the said network system, the corresponding user name of said user account comprises:
Module is set, is used to each said network insertion zone and sets up at least a resource access authority, and said user account pairing resource access authority in each said network insertion zone is set respectively;
Memory module electrically connects with the said module that is provided with, and the user name that is used for storing said user account is in the correspondence relationship information of the regional position identification information of the resource access authority in each network insertion zone and said network insertion;
Communication module; Electrically connect with said memory module; Be used to receive the authentication request message of the position identification information in the user name that comprises said user account, password and said user account present located network insertion zone that said access device sends; And send the authenticate-acknowledge information or the authentification failure message of said user name to said access device, and under the situation of user name authentication success, send said user's resource access authority to access device according to authentication result;
Authentication module; Electrically connect with said memory module and said communication module; Be used for when user account request access resources; The position identification information of user name, password and the said access device self of the said user account of transmitting according to the received access device of said communication module, and the said memory module access authority information of storing and said user name are carried out authentication to said user name in said network insertion zone at the regional corresponding relation of network insertion;
Wherein, said network insertion zone is specially the network area of said user account request visit.
Preferably, the position identification information in the pairing user account present located of said user name network insertion zone is specially:
The IP address of the access device in said network insertion zone; Or,
The IP address of the user terminal in the said network insertion zone.
Preferably, if the position identification information in said network insertion zone is specially the IP address of the user terminal in the said network insertion zone, specifically also comprise:
Said a plurality of network insertions zone is corresponding a plurality of IP address sections respectively;
The IP address of at least one included user terminal is in the said network insertion area relative IP address section in the said network insertion zone.
Preferably, said authentication module is specially the authentication of user account in the network insertion zone:
If said authentication module carries out authentication success to the matching relationship of the username and password of user account; Said network authentication server sends the authenticate-acknowledge information of said user account to said access device; And, be said user account Resources allocation access rights according to access authority information and said user name corresponding relation in the network insertion zone;
If said authentication module carries out authentification failure to the matching relationship of the username and password of said user account; Or said network authentication server obtains user name pairing resource access authority failure in the pairing network insertion of the position identification information zone in said network insertion zone of said user account; Said network authentication server sends authentification failure message to said access device, refuses said user account and carries out resource access.
Compared with prior art, the present invention has the following advantages:
Through the present invention; Realized actual on-position based on the user right assignment that conducts interviews; Can avoid that access rights are uncontrollable owing to insert the zone change, and can adopt unified access rights control, and the mode that single number of the account conducts interviews is also provided convenience for user's use for each on-fixed staff who inserts the zone; When improving internet security, improved user experience.
Description of drawings
Fig. 1 is the networking structure sketch map of network insertion control technology scheme of the prior art;
Fig. 2 is an enterprise of the prior art subregion networking structure sketch map;
Fig. 3 is the schematic flow sheet of the authority setting method of a kind of user access network provided by the invention;
Fig. 4 is a kind of schematic flow sheet that carries out purview certification according to the authority setting of user access network provided by the invention;
Fig. 5 is the classical group web frame sketch map of a kind of 802.1x authentication provided by the invention;
Fig. 6 is the schematic flow sheet of the RADIUS authentication process in a kind of classical group web frame that is applied to the 802.1x authentication provided by the invention;
Fig. 7 is the structural representation of a kind of network authentication server provided by the invention.
Embodiment
Of background technology, existing network insertion controlling mechanism can't control effectively for the user's who between zones of different, roams access rights on the one hand, has increased the Internet resources potential safety hazard; On the other hand; Can not carry out effective unified management to user's access authority information, increase the workload of network management, simultaneously; Bring inconvenience also for the network resource accession of user between zones of different, influenced user experience.
So the present invention hopes through the regional extent of the actual access network of user user's access rights to be distinguished setting.
For achieving the above object; The invention provides a kind of authority setting method of user access network; Be applied to comprise that wherein, each network insertion zone comprises an access device and at least one user terminal respectively in the network system in network authentication server and a plurality of network insertion zone; Set up at least one user account in this network system, the corresponding user name of this user account.
As shown in Figure 3, this method specifically may further comprise the steps:
Step S301, network authentication server are respectively each network insertion zone and set up at least a resource access authority.
Through this step, can be as required, for the network insertion zone is provided with multi-level access rights rule, the resource access scope when different user accounts is carried out resource access is controlled.
Step S302, network authentication server are provided with user account pairing resource access authority in each network insertion zone respectively.
Same user name is set inserts resource access authority corresponding in the zone, realize that same user account inserts in the zone and can carry out resource access through same user name in various network in various network.
These information can specifically be set according to the specific object or the access rule of user account.
The correspondence relationship information of the position identification information that the resource access authority of user name in each network insertion zone that step S303, network authentication server preserve user account and network insertion are regional.
Wherein, the position identification information in network insertion zone specifically comprises two kinds of situation:
The IP address of the access device in situation one, network insertion zone.
In this case, the access device in network insertion zone directly is used as authentication points unique in this network area.
Network authentication server and to pay no attention to user account be to carry out resource access during which platform in this network insertion zone accesses terminal; Therefore; When user account carries out resource access; Only need inform that the network authentication server present located is that which network insertion zone gets final product, and such effect can be realized in the IP address of the access device in this network insertion zone.
In the application scenarios of reality; Above-mentioned access device typically refers to access-layer switch; And the position identification information in corresponding network insertion zone is except the IP address information of access-layer switch; Can also comprise that the user asks the port information that inserts, such variation does not influence protection scope of the present invention.
This situation has more in the networking structure of present 802.1x authentication.
The IP address of the user terminal in situation two, the network insertion zone.
Be with the sign of the positional information that accesses terminal in this case as the network insertion zone; The prerequisite that is provided with like this is that network authentication server stores the positional information and this regional corresponding relation of residing network insertion that accesses terminal that all accesses terminal; Perhaps; The positional information that accesses terminal (IP address) setting has certain rules property, such as, each corresponding certain IP address range in network insertion zone; All IP addresses that access terminal in this network insertion zone, all go out with above-mentioned IP address range within.
In such cases, though be with the IP address that accesses terminal as position identification information; Network authentication server just finds corresponding IP address range through the IP address that accesses terminal; Thereby confirm corresponding network insertion zone, therefore, similar with situation one; Network authentication server and to pay no attention to user account be to carry out resource access during which platform in this network insertion zone accesses terminal, and just need the residing network insertion of consumer positioning account zone.
This situation has more in the networking structure of present Portal authentication.
Though the specifying information content of above-mentioned two kinds of situation is different, the purpose information of finally obtaining through above-mentioned information is consistent, therefore; In concrete application scenarios; As long as can realize the location in network insertion zone, specifically use above-mentioned the sort of information, do not influence protection scope of the present invention.
Simultaneously, above-mentioned access device is the preferred embodiments of the present invention with the IP address that accesses terminal, and other can reach the information content of constructed effect, also should belong to protection scope of the present invention.
After above-mentioned authority setting up procedure is accomplished, if the situation of resource access is carried out in the user account request, then at first be provided with this user account is carried out purview certification according to above-mentioned authority, this verification process is as shown in Figure 4, specifically may further comprise the steps:
The authentication request message of the position identification information in the user name that comprises user account, password and user account present located network insertion zone that step S401, network authentication server reception access device send.
Wherein, according to the particular content of the regional position identification information of network insertion, corresponding two kinds of above-mentioned situation are elaborated:
The IP address of the access device in situation one, user account present located network insertion zone.
In this case; The user is through request authentication in any user terminal of user name in certain network insertion zone of a user account; This asks pairing authentication request message all can be the unique identification that current network inserts the zone with the IP address of access device, inserts corresponding purview certification in the zone to network authentication server request user in current network.
Situation two, the pairing user of user name carry out the IP address of the user terminal of authentication.
In this case; If the user is during through any user terminal requests authentication in certain network insertion zone, the IP address of in corresponding authentication request message, carrying this user terminal is inserted in the area relative IP address section because previous IP address set is in current networking; So; When the authentication request message of the IP address that carries this user terminal sent to network authentication server, network authentication server can directly be confirmed its residing IP address section according to the IP address of user terminal, thereby confirmed corresponding network insertion zone; Thereby completion is confirmed user's regional location of living in, and and then definite corresponding access rights.
Step S402, network authentication server carry out authentication to the matching relationship of the username and password of user account, and obtain user name pairing resource access authority in the pairing network insertion of the position identification information zone in network insertion zone of user account.
In this step; Network authentication server is at first confirmed the matching relationship of username and password judge whether this user name is legal, if this username and password is not corresponding; Judge that promptly this user name is illegal; Thereby, need not further judges present located network insertion zone, and directly refuse the access request of this user name.Certainly, in concrete application scenarios, also can authentication of user name legitimacy and purview certification be carried out simultaneously, just, if user name legitimacy authentification failure even purview certification is accomplished, also no longer returns the result of purview certification.
On the contrary,, judge that promptly this user name is legal, proceed subsequent step if this username and password is corresponding, because the judgement of the matching relationship of username and password is not the emphasis that the present invention pays close attention to, therefore, explanation no longer separately.
In this step, network authentication server is clear and definite two dot informations:
1, whether user name is legal.
If illegal, then if the authentication request of direct refusing user's legal, then begin to carry out the identification in the residing network insertion of user zone or confirms that the identification in the residing network insertion of user zone is effective.
2, the identification in the residing network insertion of user zone.
Confirm the network insertion zone that the user goes out through the IP address of above-mentioned access device or the residing IP address section in IP address of user terminal.
After above-mentioned two dot informations were clear and definite, network authentication server was directly confirmed the access authority information of this user name in this network insertion zone according to user name and network insertion area information.
Concrete access authority information is to be provided with in the flow process in aforesaid authority; In network authentication server, unify in advance to set by the keeper; For concrete user name, in a plurality of network insertions zone, can have different access rights respectively, for example: the user has not limited access rights in the network insertion zone under department own; The all Internet resources of visit that can be not limited; And having limited access rights in the network insertion zone under other departments, the user can only the access portion Internet resources, perhaps can not visit current Internet resources fully.
In concrete application scenarios; Default authority definition can also be set, when the user name of user account is not set corresponding access rights in certain network insertion zone, when promptly the access rights of this user name in certain network insertion zone are default; Network authentication server can be according to default authority definition; Judge that this user name does not have the resource access authority in this network insertion zone, therefore, can not visit current network and insert the Internet resources in the zone.
Default authority definition like this is the consideration from Internet resources safety; Certainly, in practical application, also can set default authority definition is limited resource access authority; Promptly can only the access portion Internet resources; These resources are open resources, can not endanger enterprise information security, and such variation belongs to protection scope of the present invention equally.
Accordingly, according to above-mentioned network authentication server the matching relationship of the username and password of user account is carried out authentication result, also there is corresponding difference in subsequent step, and is specific as follows:
If the matching relationship to the username and password of user account carries out authentication success, then execution in step S403;
If the matching relationship to the username and password of user account carries out authentification failure, then execution in step S404.
Step S403, network authentication server are user account Resources allocation access rights to the authenticate-acknowledge information that access device sends user account.
Step S404, network authentication server send authentification failure message to access device, and the refusing user's account is carried out resource access.
This step is corresponding is the situation that the matching relationship of the username and password of user account carries out authentification failure; In the application scenarios of reality; The user name that network authentication server obtains user account pairing resource access authority failure in the pairing network insertion of the position identification information zone in network insertion zone also can cause the generation of this step; Promptly can not find out the resource access authority information maybe can not look into the resource access authority information and then think purview certification failure; Certainly, can handle according to above-mentioned default authority definition, such variation does not influence protection scope of the present invention yet.
Through the present invention; Realized actual on-position based on the user right assignment that conducts interviews; Can avoid that access rights are uncontrollable owing to insert the zone change, and can adopt unified access rights control, and the mode that single number of the account conducts interviews is also provided convenience for user's use for each on-fixed staff who inserts the zone; When improving internet security, improved user experience.
Can find out that through above-mentioned explanation the basic ideas of technical scheme proposed by the invention are following:
User property according to inserting the user distributes corresponding access rights in each network insertion zone;
Network authentication server is discerned the corresponding access rights of this user according to user's present located network insertion zone, and distributes corresponding Internet resources for it.
In concrete enforcement scene; Above-mentioned user property can be this user's a job function, and each network insertion zone can be administrative region concrete in the enterprise, and the concrete basis of characterization in network insertion zone can be the access device IP or the IP address that accesses terminal; Certainly; According to the needs of reality, corresponding variation also can take place in above-mentioned each item content, and such variation belongs to protection scope of the present invention equally.
Set forth the realization thinking of technical scheme proposed by the invention below in conjunction with concrete enforcement scene.
Enterprise network realizes that the authentication access mainly contains 802.1x and Portal dual mode.These two kinds of networking modes are slightly different on the implementation of this programme, but realize on the thinking basic identical.Concrete between the two difference is:
In the 802.1x system, the concrete basis of characterization in network insertion zone is the IP address of access device, for example the IP address of access-layer switch.
And in the Portal system, the concrete basis of characterization in network insertion zone is the IP address that accesses terminal, and for example the user is used for carrying out the IP address of the user terminal of access to netwoks.
For fear of the repetition of concrete narration literal, will technological implementation procedure of the present invention be described with 802.1x authentication group net mode in the follow-up explanation of the present invention.
Explanation for ease, the present invention gives concrete network model, and is as shown in Figure 5, is a kind of typical networking diagram of 802.1x authentication, and each accesses terminal access switch as authentication points.
Because the network characteristic of access-layer switch, so each administrative region all has independently one and many access devices.According to the situation of enterprise practical, can the information in zone be inserted as identification in the IP address of the access device in each administrative region, radius server can insert what regional access network network the user is from according to the IP Address Recognition of the access device of message identifying.
Based on above-mentioned networking structure, technical scheme proposed by the invention is specifically as shown in Figure 6, may further comprise the steps:
Step S601, regional according to administration division network insertion, and various access rights are set in radius server.
At radius server (also can be based on the network access control system of radius server) upward is that each inserts all kinds of access rights of area configurations.For example: be the higher access rights of steady job personnel configuration level in the one's respective area, comprise the authority of the resource such as server, operation system, memory device of addressable this administrative region network.And to the on-fixed staff in the one's respective area; For example: roaming staff, visitor, cooperation supplier; Can the most basic network access authority be provided as required, comprise addressable the Internet, but the authority of the keystone resources in the network of inaccessible this administrative region.
Step S602, radius server are provided with and insert the access rights of user in each administrative region.
According to the physical function and the need of work that insert the user, going up at radius server (also can be based on the network access control system of radius server) is its allocation of access rights.Affiliated administrative department according to inserting the user for it is provided with suitable network access authority, is beneficial to its resource at affiliated administrative region normal access need of work.If this user has the demand that roams into other administrative department's work, then need apply for other and insert the access rights in zone for it.This access rights are through unified Definition, and concrete authority content can be set as required, avoid the potential safety hazard that causes because of the workplace roaming.
Step S603, access main frame send username and password to access device, and authentication is carried out in request.
Insert the user and no matter what administrative region to insert online, all adopt the fixed-line subscriber name to insert online through the 802.1x protocol authentication in.
Step S604, access device send the authentication request message that comprises user name, password and access device IP address information to radius server.
After receiving that the user carries out the request of authentication, access device sends a visit-request (Access-Request) message to radius server, and this message generally comprises following information:
(1) user name;
(2) user password of encryption format;
(3) access device IP and port.
Step S605, radius server are to success of access device return authentication or failure.
If radius server has carried out successful authentication to the user, will send a visit-acceptance (Access-Accept) message.It is right that this message has comprised the authorization attribute value (AVP) that is applied to the user;
If when radius server is not accepted access device and offered any one value of radius server, can send a visit-refusal (Access-Reject) message.
Follow-up step S606 is specially the resource access flow process behind the authentication success to step S611, and therefore the emphasis that this also divides the present invention to pay close attention to, no longer is described in detail.
It is pointed out that charging process wherein, for enterprises, the concrete charging numerical value in the charging process is 0 always.
Can confirm that by above-mentioned explanation authentication request packet comprises access device IP and port in the RADIUS authentication process.Because in step S601, through the IP group of access device is arranged to insert area information according to administrative division, and be saved in the radius server.Therefore, when authentication, radius server can judge inserting the user from what zone inserts.According to inserting the access authority information in zone for what the user was provided with at each among the step S502; After inserting the authentification of user success; The access to netwoks authorization message that radius server will meet set security strategy is handed down to access device, thereby has guaranteed to insert the safe handling of user to network.
In order to realize above-mentioned technical scheme; The present invention also provides a kind of network authentication server; Be applied to comprise that wherein, each network insertion zone comprises an access device and at least one user terminal respectively in the network system in network authentication server and a plurality of network insertion zone; Set up at least one user account in the network system, the corresponding user name of user account.
As shown in Figure 7, network authentication server specifically comprises:
Wherein, in concrete application scenarios, the position identification information in the pairing user's present located of user name network insertion zone is specially:
The IP address of the access device in the pairing user's present located of user name network insertion zone; Or,
The IP address of the user terminal in the pairing user's present located of the user name network insertion zone.
In concrete application scenarios; If the position identification information in the pairing user's present located of user name network insertion zone is specially the IP address that the pairing user of user name carries out the user terminal of authentication, also need carry out following setting in the network authentication server:
A plurality of network insertions zone is corresponding a plurality of IP address sections respectively;
The IP address of at least one included user terminal is in the network insertion area relative IP address section in the network insertion zone.
In concrete application scenarios, 74 pairs of user accounts of authentication module are specifically realized in the authentication in network insertion zone in the following manner.
If the matching relationship of the username and password of 74 pairs of user accounts of authentication module carries out authentication success; Then communication module 73 is sent the authenticate-acknowledge information of user account to access device; And, be these user account Resources allocation access rights according to access authority information and user name corresponding relation in the network insertion zone;
If the matching relationship of the username and password of 74 pairs of said user accounts of authentication module carries out authentification failure; Or authentication module 74 obtains user name pairing resource access authority failure in the pairing network insertion of the position identification information zone in network insertion zone of user account to memory module 72; T communication module 73 is sent authentification failure message to access device, refuses this user account and carries out resource access.
Through the present invention; Realized actual on-position based on the user right assignment that conducts interviews; Can avoid that access rights are uncontrollable owing to insert the zone change, and can adopt unified access rights control, and the mode that single number of the account conducts interviews is also provided convenience for user's use for each on-fixed staff who inserts the zone; When improving internet security, improved user experience.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize through hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding; Technical scheme of the present invention can be come out with the embodied of software product, this software product can be stored in a non-volatile memory medium (can be CD-ROM, USB flash disk; Portable hard drive etc.) in; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) each implements the described method of scene to carry out the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is a preferred sketch map of implementing scene, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device of implementing in the scene can be distributed in the device of implementing scene according to implementing scene description, also can carry out respective change and be arranged in the one or more devices that are different from this enforcement scene.The module of above-mentioned enforcement scene can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of implementing scene just to description.
More than disclosedly be merely several practical implementation scene of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (9)
1. the authority setting method of a user access network; Be applied to comprise that wherein, each said network insertion zone comprises an access device and at least one user terminal respectively in the network system in network authentication server and a plurality of network insertion zone; Set up at least one user account in the said network system; The corresponding user name of said user account is characterized in that said method comprises:
Said network authentication server is respectively each said network insertion zone and sets up at least a resource access authority;
Said network authentication server is provided with said user account pairing resource access authority in each said network insertion zone respectively;
The correspondence relationship information of the position identification information in resource access authority and the said network insertion zone of the user name that said network authentication server is preserved said user account in each network insertion zone;
When user account request access resources; Said network authentication server receives the user account information of access device forwarding and the position identification information of said access device self, and confirms said user account pairing resource access authority in the pairing network insertion of said position identification information zone;
Wherein, said network insertion zone is specially the network area of said user account request visit.
2. the method for claim 1 is characterized in that, the position identification information in said network insertion zone is specially:
The IP address of the access device in said network insertion zone; Or,
The IP address of the user terminal in the said network insertion zone.
3. method as claimed in claim 2 is characterized in that, if the position identification information in said network insertion zone is specially the IP address of the user terminal in the said network insertion zone, said method also comprises:
Said a plurality of network insertions zone is corresponding a plurality of IP address sections respectively;
The IP address of included user terminal is in the said network insertion area relative IP address section in the said network insertion zone.
4. the method for claim 1; It is characterized in that; When user account request access resources; Said network authentication server receives the user account information of access device forwarding and the position identification information of said access device self, and confirms said user account pairing resource access authority in the pairing network insertion of said position identification information zone, specifically comprises:
Said network authentication server receives the authentication request message of the position identification information in the user name that comprises said user account, password and said user account present located network insertion zone that said access device sends;
Said network authentication server carries out authentication to the matching relationship of the username and password of said user account, and obtains user name pairing resource access authority in the pairing network insertion of the position identification information zone in said network insertion zone of said user account.
5. method as claimed in claim 4 is characterized in that, also comprises:
If the matching relationship to the username and password of said user account carries out authentication success, the authenticate-acknowledge information that said network authentication server sends said user account to said access device is said user account Resources allocation access rights;
If the matching relationship to the username and password of said user account carries out authentification failure; Or said network authentication server obtains user name pairing resource access authority failure in the pairing network insertion of the position identification information zone in said network insertion zone of said user account; Said network authentication server sends authentification failure message to said access device, refuses said user account and carries out resource access.
6. network authentication server; Be applied to comprise that wherein, each said network insertion zone comprises an access device and at least one user terminal respectively in the network system in network authentication server and a plurality of network insertion zone; Set up at least one user account in the said network system; The corresponding user name of said user account is characterized in that, comprising:
Module is set, is used to each said network insertion zone and sets up at least a resource access authority, and said user account pairing resource access authority in each said network insertion zone is set respectively;
Memory module electrically connects with the said module that is provided with, and the user name that is used for storing said user account is in the correspondence relationship information of the regional position identification information of the resource access authority in each network insertion zone and said network insertion;
Communication module; Electrically connect with said memory module; Be used to receive the authentication request message of the position identification information in the user name that comprises said user account, password and said user account present located network insertion zone that said access device sends; And send the authenticate-acknowledge information or the authentification failure message of said user name to said access device, and under the situation of user name authentication success, send said user's resource access authority to access device according to authentication result;
Authentication module; Electrically connect with said memory module and said communication module; Be used for when user account request access resources; The position identification information of user name, password and the said access device self of the said user account of transmitting according to the received access device of said communication module, and the said memory module access authority information of storing and said user name are carried out authentication to said user name in said network insertion zone at the regional corresponding relation of network insertion;
Wherein, said network insertion zone is specially the network area of said user account request visit.
7. network authentication server as claimed in claim 6 is characterized in that, the position identification information in the pairing user account present located of said user name network insertion zone is specially:
The IP address of the access device in said network insertion zone; Or,
The IP address of the user terminal in the said network insertion zone.
8. network authentication server as claimed in claim 7 is characterized in that, if the position identification information in said network insertion zone is specially the IP address of the user terminal in the said network insertion zone, specifically also comprises:
Said a plurality of network insertions zone is corresponding a plurality of IP address sections respectively;
The IP address of at least one included user terminal is in the said network insertion area relative IP address section in the said network insertion zone.
9. network authentication server as claimed in claim 7 is characterized in that, said authentication module is specially the authentication in the network insertion zone of the user name of user account:
If said authentication module carries out authentication success to the matching relationship of the username and password of user account; Said network authentication server sends the authenticate-acknowledge information of said user account to said access device; And, be said user account Resources allocation access rights according to access authority information and said user name corresponding relation in the network insertion zone;
If said authentication module carries out authentification failure to the matching relationship of the username and password of said user account; Or said network authentication server obtains user name pairing resource access authority failure in the pairing network insertion of the position identification information zone in said network insertion zone of said user account; Said network authentication server sends authentification failure message to said access device, refuses said user account and carries out resource access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101487926A CN101582769B (en) | 2009-07-03 | 2009-07-03 | Authority setting method of user access network and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101487926A CN101582769B (en) | 2009-07-03 | 2009-07-03 | Authority setting method of user access network and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101582769A CN101582769A (en) | 2009-11-18 |
| CN101582769B true CN101582769B (en) | 2012-07-04 |
Family
ID=41364751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101487926A Active CN101582769B (en) | 2009-07-03 | 2009-07-03 | Authority setting method of user access network and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101582769B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973711A (en) * | 2014-05-28 | 2014-08-06 | 中国农业银行股份有限公司 | Verification method and device |
| CN113468511A (en) * | 2021-07-21 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer readable medium and electronic equipment |
Families Citing this family (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958846B (en) * | 2010-11-03 | 2015-04-15 | 北京北信源软件股份有限公司 | Method for client roaming across servers |
| CN102487383B (en) * | 2010-12-02 | 2015-01-28 | 上海可鲁系统软件有限公司 | Industrial internet distributed system safety access control device |
| US8671206B2 (en) * | 2011-02-28 | 2014-03-11 | Siemens Enterprise Communications Gmbh & Co. Kg | Apparatus and mechanism for dynamic assignment of survivability services to mobile devices |
| CN102413137B (en) * | 2011-11-21 | 2014-10-08 | 北京地拓科技发展有限公司 | Data access method and device |
| CN102404110A (en) * | 2011-12-08 | 2012-04-04 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for obtaining keys |
| US9282086B2 (en) | 2013-04-26 | 2016-03-08 | Broadcom Corporation | Methods and systems for secured authentication of applications on a network |
| DE102014207704B4 (en) * | 2013-04-26 | 2019-11-28 | Avago Technologies International Sales Pte. Ltd. | METHOD AND SYSTEMS FOR SECURING AUTHENTICATION OF APPLICATIONS IN A NETWORK |
| CN103383724A (en) * | 2013-06-28 | 2013-11-06 | 记忆科技(深圳)有限公司 | Storing device and data access authority management method thereof |
| CN104378395B (en) * | 2013-08-14 | 2019-02-05 | 华为技术有限公司 | Access the method and device of OTT application, server push message |
| CN103607372B (en) * | 2013-08-19 | 2016-12-28 | 深信服网络科技(深圳)有限公司 | The authentication method of network insertion and device |
| CN104717062B (en) * | 2013-12-11 | 2018-03-16 | 新华三技术有限公司 | The method and device that a kind of visitor based on BYOD management systems quickly accesses |
| CN104767715B (en) * | 2014-01-03 | 2018-06-26 | 华为技术有限公司 | Access control method and equipment |
| CN103905431B (en) * | 2014-03-07 | 2017-08-08 | 汉柏科技有限公司 | A kind of user authen method and subscriber authentication server |
| CN104052756B (en) * | 2014-06-27 | 2017-08-01 | 北京思特奇信息技术股份有限公司 | A kind of method and system of business network element secure accessing service controller |
| CN105516378B (en) * | 2014-09-25 | 2019-02-12 | 华为技术有限公司 | The method and apparatus of on-position is provided |
| CN104394219A (en) * | 2014-11-27 | 2015-03-04 | 英业达科技有限公司 | Cloud management method |
| CN104468553B (en) * | 2014-11-28 | 2019-01-15 | 北京奇安信科技有限公司 | A kind of method, apparatus and system that public account logs in |
| US20160173465A1 (en) * | 2014-12-12 | 2016-06-16 | Rajesh Poornachandran | Technologies for verifying authorized operation of servers |
| CN105429998A (en) * | 2015-01-06 | 2016-03-23 | 李先志 | Network security area login method and device |
| CN106034104B (en) | 2015-03-07 | 2021-02-12 | 华为技术有限公司 | Verification method, device and system for network application access |
| CN104916101B (en) * | 2015-04-14 | 2018-07-06 | 北京网河时代科技有限公司 | 4.0 switch on wall control system of bluetooth |
| CN104951692A (en) * | 2015-05-04 | 2015-09-30 | 联想(北京)有限公司 | Information processing method and first electronic equipment |
| CN106162549A (en) * | 2015-05-19 | 2016-11-23 | 中兴通讯股份有限公司 | The processing method and processing device of access network |
| CN109150787A (en) * | 2017-06-13 | 2019-01-04 | 西安中兴新软件有限责任公司 | A kind of authority acquiring method, apparatus, equipment and storage medium |
| CN108429732B (en) * | 2018-01-23 | 2021-01-08 | 平安普惠企业管理有限公司 | Method and system for acquiring resources |
| CN110167102B (en) | 2018-02-14 | 2021-01-15 | 华为技术有限公司 | Network access method and related device |
| CN109145560B (en) * | 2018-08-08 | 2022-03-25 | 北京小米移动软件有限公司 | Method and device for accessing monitoring equipment |
| CN109660593B (en) * | 2018-11-05 | 2021-12-07 | 深圳绿米联创科技有限公司 | Internet of things platform access management method, device and system |
| CN110519404B (en) * | 2019-08-02 | 2022-04-26 | 锐捷网络股份有限公司 | SDN-based policy management method and device and electronic equipment |
| CN110620782A (en) * | 2019-09-29 | 2019-12-27 | 深圳市珍爱云信息技术有限公司 | Account authentication method and device, computer equipment and storage medium |
| CN113271285B (en) * | 2020-02-14 | 2023-08-08 | 北京沃东天骏信息技术有限公司 | Method and device for accessing network |
| CN112822160B (en) * | 2020-12-29 | 2022-10-21 | 新华三技术有限公司 | Equipment identification method, device, equipment and machine-readable storage medium |
| CN113612740B (en) * | 2021-07-21 | 2022-08-26 | 腾讯科技(深圳)有限公司 | Authority management method and device, computer readable medium and electronic equipment |
| CN113596044B (en) * | 2021-08-03 | 2023-04-25 | 北京恒安嘉新安全技术有限公司 | Network protection method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1440607A (en) * | 2000-06-30 | 2003-09-03 | 诺基亚公司 | Network and method for controlling appliances |
| CN1523815A (en) * | 2003-02-21 | 2004-08-25 | 北京润汇科技有限公司 | Customer access management system for wideband network |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
-
2009
- 2009-07-03 CN CN2009101487926A patent/CN101582769B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1440607A (en) * | 2000-06-30 | 2003-09-03 | 诺基亚公司 | Network and method for controlling appliances |
| CN1523815A (en) * | 2003-02-21 | 2004-08-25 | 北京润汇科技有限公司 | Customer access management system for wideband network |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973711A (en) * | 2014-05-28 | 2014-08-06 | 中国农业银行股份有限公司 | Verification method and device |
| CN113468511A (en) * | 2021-07-21 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer readable medium and electronic equipment |
| CN113468511B (en) * | 2021-07-21 | 2022-04-15 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer readable medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101582769A (en) | 2009-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101582769B (en) | Authority setting method of user access network and equipment | |
| US8973122B2 (en) | Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method | |
| CN1685694B (en) | Session key management for public wireless lan supporitng multiple virtual operators | |
| EP2014067B1 (en) | Provisioned configuration for automatic wireless connection | |
| US9178915B1 (en) | Cookie preservation when switching devices | |
| Patel et al. | Ticket based service access for the mobile user | |
| CN101919221B (en) | For belonging to the authentication method without the need to credential duplication of the user of different institutions | |
| CN109918878A (en) | A kind of industrial internet of things equipment authentication and safety interacting method based on block chain | |
| CN104158824B (en) | Genuine cyber identification authentication method and system | |
| CN102916946B (en) | Connection control method and system | |
| CN101764742A (en) | Network resource visit control system and method | |
| CN101001144B (en) | Method for implementing authentication by entity authentication centre | |
| CN104159225A (en) | Wireless network based real-name registration system management method and system | |
| CN101986598B (en) | Authentication method, server and system | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN109413080B (en) | Cross-domain dynamic authority control method and system | |
| US20120266239A1 (en) | Authorized data access based on the rights of a user and a location | |
| CN102143492B (en) | Method for establishing virtual private network (VPN) connection, mobile terminal and server | |
| CN106127888A (en) | Smart lock operational approach and smart lock operating system | |
| CN105827663A (en) | Access control method and system | |
| CN109088890A (en) | A kind of identity identifying method, relevant apparatus and system | |
| CN101291220B (en) | System, device and method for identity security authentication | |
| CN108377244A (en) | A kind of Intranet uniform authentication method | |
| CN108809930B (en) | User authority management method and device | |
| CN103069767B (en) | Consigning authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | "change of name, title or address" | ||
| CP03 | "change of name, title or address" |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |