CN102271132B - Control method and system for network access authority and client - Google Patents

Control method and system for network access authority and client Download PDF

Info

Publication number
CN102271132B
CN102271132B CN 201110210433 CN201110210433A CN102271132B CN 102271132 B CN102271132 B CN 102271132B CN 201110210433 CN201110210433 CN 201110210433 CN 201110210433 A CN201110210433 A CN 201110210433A CN 102271132 B CN102271132 B CN 102271132B
Authority
CN
China
Prior art keywords
acl
client
server
access
vpn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 201110210433
Other languages
Chinese (zh)
Other versions
CN102271132A (en
Inventor
叶金龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN 201110210433 priority Critical patent/CN102271132B/en
Publication of CN102271132A publication Critical patent/CN102271132A/en
Application granted granted Critical
Publication of CN102271132B publication Critical patent/CN102271132B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a control method and a system for network access authority and a client. When a public network user accesses a network, a VPN server that is in an internal network receives an on-line request sent by a client of the public network user and carries out VPN authentication on the client; after the VPN authentication succeeds, the VPN server receives and forwards a request for public network access or internal network access, wherein the request is sent by the client; a gateway that connects the public network and the internal network can drop the request for the public network access, wherein the request is sent by the VPN server. When the internal network user accesses the network, an authentication server of the internal network receives an on-line request sent by a client of the internal network user and carries out VPN authentication on the client; after the VPN authentication succeeds, a gateway that connects the public network and the internal network can drop a request for public network access, wherein the request is sent by the client. According to the method provided in the invention, the user only can make communication in a limited internal network, so that a possibility of secret information leakage to a public network can be effectively reduced, wherein the leakage is caused by arbitrarily access of the user to public network resources.

Description

A kind of control method of network access authority, system and client
Technical field
The present invention relates to network communication field, relate in particular to a kind of control method, system and client of network access authority.
Background technology
Net association (IP, Internet Protocol) communicates for computer network interconnects the agreement designed.Before other computers communicate in computer and network, should first configure one for the IP address at communication unique identification oneself.Because the IP number of addresses in the Internet is limited, along with increasing computer and mobile phone join in the Internet, make wretched insufficiency of IP address.In order to solve the problem of shortage of ip address, it is Intranet that private network has been set up in a lot of business units tissues such as (or) schools, and the IP address in Intranet can be managed voluntarily and be distributed by the network manager.Relative with Intranet is exactly, and public network is the Internet, and the IP address of public network need to be distributed unitedly by the Internet digital distribution mechanism (IANA, The Internet Assigned Numbers Authority).The public network computer can only with the public network compunication, inner net computer can only be communicated by letter with inner net computer, the public network computer can not directly communicate with inner net computer, so IP address of internal network can be managed voluntarily and be distributed by the network manager, can not conflict with public network IP address.If inner net computer is thought same public network computer and is communicated, need first from a public network IP address of IANA application, when inner net computer conducts interviews to the public network computer, all the public network IP address by the inner net computer application communicates with the public network computer as the agency.
It is public that there are a lot of computers (such as notebook computer) in business unit's tissues such as (or) schools, depositing a lot of important confidential information in notebook computer, in order not allow these important confidential information leak out by network, business unit requires these notebook computers can only access Intranet, because Intranet is the private network that business unit is set up, therefore important confidential information can be leaked to public network, but when the employee goes on business while needing carrying notebook computer, notebook computer is just likely accessed public network, the confidential information of business unit is leaked in public network, cause the loss of business unit.
Summary of the invention
The embodiment of the present invention provides a kind of control method, system and client of network access authority, the problem that can random access public network resource causes confidential information to leak in order to solve existing user.
The control method of a kind of network access authority that the embodiment of the present invention provides comprises:
The VPN (virtual private network) vpn server that is positioned at Intranet carries out the VPN authentication to client after receiving the request of reaching the standard grade that the client of public network user sends;
After the VPN authentication success, vpn server receives and forwards the access public network of client transmission or the request of Intranet;
The gateway that connects public network and Intranet abandons the request of the access public network of vpn server forwarding.
The embodiment of the present invention also provides a kind of control system of network access authority, comprising:
The VPN (virtual private network) vpn server, after the request of reaching the standard grade sent for the client that receives public network user, carry out the VPN authentication to client; After the VPN authentication success, receive and forward access public network that the client of public network user sends or the request of Intranet;
The gateway that connects public network and Intranet, for abandoning the request of the access public network that vpn server forwards.
The control method of a kind of network access authority that the embodiment of the present invention provides comprises:
The client of public network user, according to the filtering rule set in advance before reaching the standard grade, sends the ACL authentication request to the access control list ACL certificate server that is positioned at Intranet; Filtering rule definition client only allows to access the ACL certificate server;
After the ACL authentication success, the public network IP address of the VPN (virtual private network) vpn server that is positioned at Intranet that client ACL certificate server sends;
Client is according to the public network IP address of the vpn server received, and revising the filtering rule set in advance is the permission described ACL certificate server of access and a described vpn server;
Client, according to amended filtering rule, sends to described vpn server the request of reaching the standard grade.
The present invention also provides a kind of client, comprising:
The authentication request transmitting element, send the ACL authentication request for the filtering rule according to setting in advance before reaching the standard grade to the access control list ACL certificate server that is positioned at Intranet;
The address receiving element, for after the ACL authentication success, receive the public network IP address of the VPN (virtual private network) vpn server that is positioned at Intranet of ACL certificate server transmission;
Filtering rule is revised unit, and for the public network IP address of the vpn server according to receiving, revising the filtering rule set in advance is only to allow the described ACL certificate server of access and described vpn server;
The request transmitting unit of reaching the standard grade, for according to amended filtering rule, send to vpn server the request of reaching the standard grade.
The control method of a kind of network access authority that the embodiment of the present invention provides comprises:
After the certificate server of Intranet receives the request of reaching the standard grade that the client of Intranet user sends, to the client authentication of being reached the standard grade;
After authentication success, the gateway that connects public network and Intranet abandons the request of the access public network of client transmission.
The embodiment of the present invention also provides a kind of control system of network access authority, comprising:
Certificate server, after the request of reaching the standard grade sent for the client that receives Intranet user, to the client authentication of being reached the standard grade;
The gateway that connects public network and Intranet, for after the certificate server authentication success, abandon the request of the access public network of client transmission.
The control method of a kind of network access authority that the embodiment of the present invention provides comprises:
The client of Intranet user sends the 802.1x authentication request to the remote customer dialing authentication system radius server that is positioned at Intranet;
The IP address of internal network of the access control list ACL certificate server that is positioned at Intranet that the client radius server sends after the 802.1x authentication success;
Client, according to the IP address of internal network of the ACL certificate server received, arranges filtering rule for only allowing access ACL certificate server;
Client, according to the filtering rule arranged, sends the ACL authentication request of carrying user profile to the ACL certificate server;
Client, after the ACL authentication success, is revised filtering rule for allowing the Internet resources of access arbitrary network or the appointment of permission access ACL certificate server.
The embodiment of the present invention also provides a kind of client, comprising:
802.1x the authentication request transmitting element, send the 802.1x authentication request for the remote customer dialing authentication system radius server to being positioned at Intranet;
The address receiving element, for receiving the IP address of internal network of the access control list ACL certificate server that is positioned at Intranet that radius server sends after the 802.1x authentication success;
The filtering rule setting unit, for the IP address of internal network of the ACL certificate server according to receiving, arrange filtering rule for only allowing the described ACL certificate server of access;
ACL authentication request transmitting element, for the filtering rule according to arranging, send the ACL authentication request of carrying user profile to described ACL certificate server;
Filtering rule is revised unit, for after the ACL authentication success, revises the Internet resources that filtering rule is accessed arbitrary network for permission or allowed the appointment of access ACL certificate server.
The beneficial effect of the embodiment of the present invention comprises:
The control method of a kind of network access authority that the embodiment of the present invention provides, system and client, when the public network user accesses network, the vpn server that is positioned at Intranet receives the request of reaching the standard grade of the client transmission of public network user, and client is carried out to the VPN authentication; After the VPN authentication success, vpn server receives and forwards the access public network of client transmission or the request of Intranet; The gateway that connects public network and Intranet abandons the request of the access public network of vpn server forwarding, because the client of public network user can only be passed through the vpn server accesses network, and vpn server is arranged in Intranet, gateway can abandon the request of the access public network of vpn server forwarding simultaneously, therefore, the request of the access Intranet of only having public network user to send can be normally processed, and has reached the purpose that public network user can only conduct interviews in the Intranet scope.
The control method of the another kind of network access authority that the embodiment of the present invention provides, system and client, when the Intranet user accesses network, the certificate server of Intranet receives the request of reaching the standard grade that the client of Intranet user sends, to the client authentication of being reached the standard grade; After authentication success, the gateway that connects public network and Intranet can abandon the request of client to the access public network of outer net transmission.Therefore, the request of the access Intranet of only having Intranet user to send can be normally processed, and has reached the purpose that the client of restriction Intranet user can only conduct interviews in the Intranet scope.
In sum, control method, system and the client of the above-mentioned network access authority that uses the embodiment of the present invention to provide, no matter be Intranet user, or external user, can only in limited Intranet, communicate by letter, but effectively reduced user's random access public network resource and the information that discloses secrets to the possibility of public network.
The accompanying drawing explanation
One of flow chart of the control method of the network access authority that Fig. 1 provides for the embodiment of the present invention;
Two of the flow chart of the control method of the network access authority that Fig. 2 provides for the embodiment of the present invention;
The flow chart of VPN authentication in the method that Fig. 3 provides for the embodiment of the present invention;
Three of the flow chart of the control method of the network access authority that Fig. 4 provides for the embodiment of the present invention;
In the method that Fig. 5 provides for the embodiment of the present invention, certificate server is to the reached the standard grade flow chart of authentication of client;
The network topological diagram that Fig. 6 provides for the embodiment of the present invention;
The reach the standard grade flow chart of authentication of public network user in the example one that Fig. 7 provides for the embodiment of the present invention;
The reach the standard grade flow chart of authentication of Intranet user in the example two that Fig. 8 provides for the embodiment of the present invention;
One of schematic diagram of the control system of the network access authority that Fig. 9 provides for the embodiment of the present invention;
One of schematic diagram of the control device of the network access authority that Figure 10 provides for the embodiment of the present invention;
Two of the schematic diagram of the control system of the network access authority that Figure 11 provides for the embodiment of the present invention;
Two of the schematic diagram of the control device of the network access authority that Figure 12 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, the embodiment of the control method of the network access authority that the embodiment of the present invention is provided, system and client is described in detail.
The control method of a kind of network access authority that the embodiment of the present invention provides, the method is applicable to limit the situation that public network user can only be accessed Intranet, and as shown in Figure 1, idiographic flow comprises:
S101, VPN (virtual private network) (VPN, the Virtual Private Network) server that is positioned at Intranet receive the request of reaching the standard grade that the client of public network user sends;
S102, vpn server carry out the VPN authentication to client;
S103, after the VPN authentication success, vpn server receives and forwards access public network that client sends or the request of Intranet;
The gateway of S104, connection public network and Intranet abandons the request of the access public network of vpn server forwarding.
Wherein, gateway can realize abandoning when user's request access outer net by pre-configured self port closing the request of the access public network that vpn server forwards.
Above-mentioned steps S101~S104, after the client VPN of public network user network is reached the standard grade successfully, just can only forward by the vpn server of Intranet the request of access public network or Intranet, and the gateway outlet that connects public network and Intranet is closed condition, therefore, when gateway is received the request of the public network user access public network that vpn server forwards, it will be abandoned, guaranteed that public network user is when reaching the standard grade Intranet, can only access the Intranet resource, the situation of so just having avoided public network user to cause the confidential information of self to be revealed by random access outer net.
Preferably, as shown in Figure 2, the control method of the network access authority that the embodiment of the present invention provides, before above-mentioned steps S101, can also carry out following steps:
S201, client, according to the filtering rule set in advance before reaching the standard grade, send the ACL authentication request to the Access Control List (ACL) that is positioned at Intranet (ACL, Access Control List) certificate server; This filtering rule definition client only allows to access the ACL certificate server;
S202, ACL certificate server receive the ACL authentication request, and this client are carried out to the ACL authentication;
In this step S202, can authenticate by the VPN user ID to carrying in the ACL authentication request ACL authentication that can realize this client.
S203, after the ACL authentication success, the ACL certificate server sends the public network IP address of vpn server to client;
The public network IP address of S204, client vpn server, and, according to the public network IP address of the vpn server received, revise filtering rule for allowing access ACL certificate server and vpn server.
Wherein, client just is provided with filtering rule when initial, when this filtering rule is initial, the definition client only allows to access the ACL certificate server, has effectively avoided public network user before carrying out ACL authentication and VPN authentication, the possibility of other resources in the access public network.
Particularly, in above-mentioned steps S102, vpn server carries out the process of VPN authentication to client, as shown in Figure 3, comprises the following steps:
The username and password that S1021, vpn server comprise the request of reaching the standard grade is authenticated, and checks that whether username and password is consistent with the legal username and password of storage; If consistent, execution step S1022, if inconsistent, execution step S1023;
S1022, vpn server send the response of VPN authentication success to client;
S1023, vpn server send the VPN authentication failure response to client.
In the embodiment of the present invention, the client of public network user will first authenticate (only the VPN user ID being authenticated) afterwards by ACL, just can obtain the public network IP address of vpn server, and then carry out VPN authentication (authentication VPN user ID and password) with vpn server again, the method for this double authentication has also further increased reliability and the fail safe of authentication.
Preferably, when public network user rolls off the production line, the said method that the embodiment of the present invention provides is further comprising the steps of:
Client sends to vpn server the notice that rolls off the production line, and again revises filtering rule for only allowing the described ACL certificate server of access.Like this, after avoiding public network user to leave the VPN network, arbitrarily access other public network resource.
The control method of another network access authority that the embodiment of the present invention provides, the method is applicable to limit the situation that Intranet user can only be accessed Intranet, as shown in Figure 4, comprises the steps:
The certificate server of S401, Intranet receives the request of reaching the standard grade of the client transmission of Intranet user;
S402, certificate server are to the client authentication of being reached the standard grade;
S403, after authentication success, the gateway that connects public network and Intranet abandons the request of the access public network that client sends.
Wherein, gateway can realize abandoning by pre-configured self port closing the request of the access public network that client sends.
The Intranet user that the method that above-mentioned steps S401~S403 provides is applicable to connect Intranet is wanted the situation of accesses network, due to Intranet user in Intranet, therefore, Intranet user also can not be directly connected to public network and visit the public network resource, and when Intranet user sends the request of access Intranet or public network to Intranet after reaching the standard grade successfully, because the outlet of the gateway that connects public network and Intranet is configured to closed condition, therefore, when gateway receives that public network user sends the request of access public network, it will be abandoned, guaranteed that Intranet user can only access the Intranet resource, so just prevented the confidential information of Intranet user leakage self.
Preferably, the certificate server of the Intranet of mentioning in said method can be remote customer dialing authentication system (RADIUS, Remote Authentication Dial In User Service) server and Access Control List (ACL) (ACL, Access Control List) certificate server.
Particularly, the process that the certificate server in step S402 is reached the standard grade and authenticated client as shown in Figure 5, comprises the following steps:
S4021, radius server receive the 802.1x authentication request that client sends, and the user profile that the 802.1x authentication request is comprised is carried out the 802.1x authentication;
S4022, after the 802.1x authentication success, radius server sends pre-stored ACL certificate server IP address of internal network to client, to the ACL certificate server, sends user profile; And the switch in the notice Intranet is opened the port that connects client;
S4023, client, according to the ACL certificate server IP address of internal network received, arrange filtering rule for only allowing access ACL certificate server;
S4024, ACL certificate server receive the ACL authentication request of carrying user profile that client sends, and user profile is carried out to the ACL authentication;
S4025, after the ACL authentication success, client is revised filtering rule for allowing the access arbitrary network or allowing the specified Internet resources of access ACL certificate server.
In above-mentioned flow process, before Intranet user 802.1x authentication success, the port of the switch be connected with the client of Intranet user is closed, during the port shutdown that is connected with this client due to switch ports themselves, the port that this client is connected with switch only allows to belong to the Extensible Authentication Protocol (EAPOL based on local area network (LAN), Extensible Authentication Protocol Over Lan) the 802.1x authentication request of message is passed through, therefore, Intranet user is before the 802.1x authentication success, port from exchanged machine to other resources send in Intranet message that all can abandons.
After the 802.1x authentication success, although connecting the port of this client, opened switch, but the filtering rule arranged on the client due to Intranet user only allows to access the ACL certificate server, therefore, Intranet user is before same ACL certificate server carries out the ACL authentication or can not access Intranet or outer net Internet resources, only at Intranet user, by ACL, authenticate, and Intranet user is revised filtering rule for after allowing the access arbitrary network or allowing the Internet resources of access ACL certificate server appointment, and the user could realize the access to Internet resources.
Preferably, while rolling off the production line after Intranet user has been accessed network, the said method that the embodiment of the present invention provides is further comprising the steps of: radius server receives the notice that rolls off the production line that client sends, and the notice switch is closed the port that connects this client; Send the user profile of client to the ACL certificate server, so that the ACL certificate server is deleted the user profile of this client.
Like this, after Intranet user rolls off the production line, the switch ports themselves be connected with the client of Intranet user in Intranet is closed, the request access Intranet that makes Intranet user send or the request of public network are all abandoned by switch, only accesses network again after Intranet user is again with the certificate server authentication success.
Below with two concrete examples, explain the control method of the above-mentioned network access authority that the embodiment of the present invention provides, the network topological diagram that Fig. 6 is following two examples, in this network topological diagram, the client 1 of public network user and the client 2 of Intranet user are arranged, and following two examples allow the scheme of access Intranet to describe respectively with restriction client 1 and 2 of clients.
Example one:
Control flow process that client 1 can only access Intranet as shown in Figure 7, specifically comprise the following steps:
S701, the client 1 front pre-configured ACL certificate server public network IP address of reaching the standard grade, and filtering rule is set, this 1 of filtering rule definition client allows access ACL certificate server;
S702, client 1 are selected the VPN authentication mode, send the ACL authentication request of carrying the VPN user ID to the ACL certificate server;
S703, ACL certificate server carry out the ACL authentication to the VPN user ID, authentification failure, execution step S704, authentication success, execution step S705;
S704, ACL certificate server send the ACL authentication failure response to client 1;
S705, ACL certificate server issue the public network IP address of vpn server to client 1;
S706, client 1 are according to the vpn server public network IP address received, and revising filtering rule is only to allow access ACL certificate server and vpn server;
S707, client 1 send the VPN authentication request of carrying username and password to vpn server;
S708, vpn server check that whether username and password is consistent with the legal username and password of storage, if consistent, execution step S709, if inconsistent, execution step S710;
S709, VPN send the response of VPN authentication success to client 1;
S710, VPN send the VPN authentication failure response to client 1.
Client 1 just sends the request of access Intranet or public network after the VPN authentication success to vpn server, vpn server forwards these requests, because the gateway that connects public network and Intranet is preconfigured to closed condition, therefore, gateway can abandon the request of the access public network of vpn server forwarding.
When client 1 rolls off the production line, client 1 can send the notice that rolls off the production line to vpn server, and again revises filtering rule for only allowing access ACL certificate server, avoids public network user access public network.
Example two:
In this example two, as shown in Figure 6, the client 2 of Intranet user is connected with the switch of Intranet, before client 2 is reached the standard grade, exchange is set to closed condition with the port that is connected client 2, the outlet that Intranet connects the gateway of public network is preconfigured to closed condition, the IP address of internal network of pre-configured ACL certificate server in radius server.
Control flow process that client 2 can only access Intranet as shown in Figure 8, specifically comprise the following steps:
S801, client 2 are selected the 802.1x authentication mode, send the 802.1x authentication request of carrying username and password to radius server;
S802, radius server are checked username and password, after checking unsuccessfully, perform step S803, after checking successfully, and execution step S804-S806;
S803, radius server send the 802.1x authentication failure response to client 2;
S804, radius server send the 802.1x authentication success response of carrying ACL certificate server IP address of internal network to client 2;
S805, radius server inform that switch opens the port that connects client 2;
S806, radius server send the username and password of client 2 to the ACL certificate server;
S807, client 2, according to the ACL certificate server IP address of internal network received, arrange filtering rule for only allowing access ACL certificate server;
S808, client 2 send the ACL authentication request of carrying user name, password and 802.1x user ID to the ACL certificate server;
S809, ACL certificate server check whether consistent with in online user's list of storage of user name, password and 802.1x user ID, if inconsistent, carry out following step S810, if unanimously, carry out following step S811;
S810, ACL certificate server send the ACL authentication failure response to client 2;
S811, ACL certificate server send to client 2 the Internet resources authority that allows access;
S812, client 2 are revised filtering rule according to the Internet resources authority that allows access.
After execution step S812, client 2 just can send the accesses network request to Intranet, the accesses network resource, but because the outlet of the gateway that connects public network and Intranet is preconfigured to closed condition, therefore, gateway can abandon the request of the access public network that this client 2 sends.
When client 2 rolls off the production line, client 2 can send the notice that rolls off the production line to radius server, radius server receives the notice that rolls off the production line that client 2 sends, can send to the ACL certificate server user profile of client 2, make the ACL certificate server delete the user profile of storage, and the notice switch is closed the port that client connects.
Like this, after client 2 rolls off the production line, the switch ports themselves be connected with client 2 in Intranet is closed, and makes that client 2 sends no matter be access Intranet or the request of public network is all abandoned by switch, only could accesses network after client 2 is again with the certificate server authentication success.
Based on same inventive concept, the embodiment of the present invention also provides a kind of control system of network access authority, because the principle that this system is dealt with problems is similar to the control method of aforementioned a kind of network access authority, so the enforcement of this system can, referring to the enforcement of method, repeat part and repeat no more.
In the situation that connect the public network user accesses network of public network, the control system of a kind of network access authority that the embodiment of the present invention provides as shown in Figure 9, comprising:
VPN (virtual private network) vpn server 901, the request of reaching the standard grade sent for the client that receives public network user, carry out the VPN authentication to client; After the VPN authentication success, receive and forward access public network that the client of public network user sends or the request of Intranet;
The gateway 902 that connects public network and Intranet, for abandoning the request of the access public network that vpn server 901 forwards.
Preferably, the said system that the embodiment of the present invention provides as shown in Figure 9, also comprises: ACL certificate server 903, the ACL authentication request sent according to the filtering rule set in advance before reaching the standard grade for receiving client, this filtering rule definition client only allows to access the ACL certificate server; VPN user ID in the ACL authentication request that client is sent is authenticated; And, after the ACL authentication success, send the public network IP address of vpn server 901 to client;
The request of reaching the standard grade that vpn server 901 sends for the client that receives public network user, be specially: the request of reaching the standard grade that the filtering rule that vpn server is revised according to the public network IP address of vpn server 901 for the client that receives public network user sends, the filtering rule of this modification is only to allow access ACL certificate server 903 and vpn server 901.
In the situation that connect the public network user accesses network of public network, the embodiment of the present invention also provides a kind of client, as shown in figure 10, comprising:
Authentication request transmitting element 1001, send the ACL authentication request for the filtering rule according to setting in advance before reaching the standard grade to the access control list ACL certificate server that is positioned at Intranet;
Address receiving element 1002, for after the ACL authentication success, receive the public network IP address of the VPN (virtual private network) vpn server that is positioned at Intranet of ACL certificate server transmission;
Filtering rule is revised unit 1003, and for the public network IP address of the vpn server according to receiving, revising the filtering rule set in advance is only to allow the described ACL certificate server of access and described vpn server;
The request transmitting unit 1004 of reaching the standard grade, for according to amended filtering rule, send to described vpn server the request of reaching the standard grade.
Preferably, the above-mentioned client that the embodiment of the present invention provides as shown in figure 10, also comprises:
The notice that rolls off the production line transmitting element 1005, for sending to vpn server the notice that rolls off the production line;
Filtering rule is revised unit 1003, also for after rolling off the production line, amended filtering rule is reverted to the filtering rule set in advance.
In the situation that connect the public network user accesses network of public network, the embodiment of the present invention also provides a kind of client, and this client comprises the control device of above-mentioned network access authority.
In the situation that connect the Intranet user accesses network of Intranet, the control system of a kind of network access authority that the embodiment of the present invention provides as shown in figure 11, comprising:
Certificate server 1101, after the request of reaching the standard grade sent for the client that receives Intranet user, to the client authentication of being reached the standard grade;
The gateway 1102 that connects public network and Intranet, for after certificate server 1101 authentication successs, abandon the request of the access public network of client transmission.
Preferably, the gateway 1102 in the system that the embodiment of the present invention provides, be closed specifically for the outlet by self request that realization abandons the access public network of described client transmission.
Preferably, the said system that the embodiment of the present invention provides as shown in figure 11, also comprises: switch 1103;
Certificate server 1101 specifically comprises: remote customer dialing authentication system radius server 1104 and access control list ACL certificate server 1105;
Radius server 1104, the 802.1x authentication request sent for receiving client, the user profile that the 802.1x authentication request is comprised is carried out the 802.1x authentication; And, after the 802.1x authentication success, send the IP address of internal network of pre-stored ACL certificate server 1105 to client, send user profile to ACL certificate server 1105; And the switch 1103 in the notice Intranet is opened the port that connects client;
Switch 1103, for the notice sent according to described radius server, open the port that connects client;
ACL certificate server 1105, for receiving the ACL authentication request of carrying user profile of client according to the filtering rule transmission of the IP address of internal network setting of ACL certificate server 1105, and the user profile sent according to described radius server, the user profile of carrying in the ACL authentication request is carried out to the ACL authentication, and this filtering rule is only to allow access ACL certificate server; And, after the ACL authentication success, to client, send the response of ACL authentication success.
Preferably, the radius server 1104 in the said system that the embodiment of the present invention provides, also, for after the notice that rolls off the production line that receives the client transmission, notice switch 1103 is closed the port that connects client;
Switch 1103, also the notice for sending according to described radius server, close the port that connects client.
In the situation that connect the Intranet user accesses network of Intranet, the embodiment of the present invention also provides a kind of client, as shown in figure 12, comprising:
802.1x authentication request transmitting element 1201, send the 802.1x authentication request for the remote customer dialing authentication system radius server to being positioned at Intranet;
Address receiving element 1202, for receiving the IP address of internal network of the access control list ACL certificate server that is positioned at Intranet that radius server sends after the 802.1x authentication success;
Filtering rule setting unit 1203, for the IP address of internal network of the ACL certificate server according to receiving, arrange filtering rule for only allowing the described ACL certificate server of access;
ACL authentication request transmitting element 1204, for the filtering rule according to arranging, the ACL authentication request of carrying user profile sent to the ACL certificate server;
Filtering rule is revised unit 1205, for after the ACL authentication success, revises filtering rule for allowing the Internet resources of accessing arbitrary network or allowing the appointment of the described ACL certificate server of access.
The control method of a kind of network access authority that the embodiment of the present invention provides, system and client, when the public network user accesses network, the vpn server that is positioned at Intranet receives the request of reaching the standard grade of the client transmission of public network user, and client is carried out to the VPN authentication; After the VPN authentication success, vpn server receives and forwards the access public network of client transmission or the request of Intranet; The gateway that connects public network and Intranet can abandon the request of the access public network of vpn server forwarding, due to after the client of public network user authenticates by VPN, can only pass through the vpn server accesses network, and vpn server is arranged in Intranet, gateway can abandon the request of the access public network of vpn server forwarding simultaneously, therefore, reached the purpose that public network user can only conduct interviews in the Intranet scope.
The control method of a kind of network access authority that the embodiment of the present invention provides, system and client, when the Intranet user accesses network, the certificate server of Intranet receives the request of reaching the standard grade that the client of Intranet user sends, to the client authentication of being reached the standard grade; After authentication success, the gateway that connects public network and Intranet abandons the request of client to the access public network of outer net transmission.Therefore, reached the purpose that the client of restriction Intranet user can only conduct interviews in the Intranet scope.
In sum, control method, system and the client of the network access authority that uses the embodiment of the present invention to provide, no matter be Intranet user, or external user, can only in limited Intranet, communicate by letter, but effectively reduced user's random access public network resource and the information that discloses secrets to the possibility of public network.
Obviously, those skilled in the art can carry out various changes and modification and not break away from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention also is intended to comprise these changes and modification interior.

Claims (14)

1. the control method of a network access authority, is characterized in that, comprising:
The access control list ACL certificate server that is positioned at Intranet receives the ACL authentication request of the client of public network user according to the filtering rule transmission set in advance, and described filtering rule defines described client and only allows to access described ACL certificate server;
VPN (virtual private network) VPN user ID in the ACL authentication request that described ACL certificate server sends described client is authenticated;
After the ACL authentication success, described ACL certificate server sends the VPN (virtual private network) vpn server public network IP address that is positioned at Intranet to described client;
Described vpn server carries out the VPN authentication to described client after receiving the request of reaching the standard grade of client according to the filtering rule transmission of described vpn server public network IP address modification of public network user; The filtering rule of described modification is only to allow the described ACL certificate server of access and described vpn server;
After the VPN authentication success, described vpn server receives and forwards the access public network of described client transmission or the request of Intranet;
The gateway that connects public network and Intranet abandons the request of the access public network of described vpn server forwarding.
2. the control system of a network access authority, is characterized in that, comprising:
The access control list ACL certificate server, the ACL authentication request sent according to the filtering rule set in advance before reaching the standard grade for the client that receives public network user, described filtering rule defines described client and only allows to access described ACL certificate server; VPN (virtual private network) VPN user ID in the ACL authentication request that described client is sent is authenticated; And, after the ACL authentication success, send the vpn server public network IP address that is positioned at Intranet to described client;
The VPN (virtual private network) vpn server, after the request of reaching the standard grade that the filtering rule of revising according to described vpn server public network IP address for the client that receives public network user sends, carry out the VPN authentication to described client; The filtering rule of described modification is only to allow the described ACL certificate server of access and described vpn server; After the VPN authentication success, receive and forward access public network that the client of described public network user sends or the request of Intranet;
The gateway that connects public network and Intranet, for abandoning the request of the access public network that described vpn server forwards.
3. the control method of a network access authority, is characterized in that, comprising:
The client of public network user, according to the filtering rule set in advance before reaching the standard grade, sends the ACL authentication request to the access control list ACL certificate server that is positioned at Intranet; Described filtering rule defines described client and only allows to access described ACL certificate server;
After the ACL authentication success, the public network IP address of the VPN (virtual private network) vpn server that is positioned at Intranet that described client ACL certificate server sends;
Described client is according to the public network IP address of the vpn server received, and revising the filtering rule set in advance is the permission described ACL certificate server of access and a described vpn server;
Described client, according to amended filtering rule, sends to described vpn server the request of reaching the standard grade.
4. method as claimed in claim 3, is characterized in that, also comprises:
Described client sends to described vpn server the notice that rolls off the production line;
Amended filtering rule is reverted to the filtering rule set in advance.
5. a client, is characterized in that, comprising:
The authentication request transmitting element, send the ACL authentication request for the filtering rule according to setting in advance before reaching the standard grade to the access control list ACL certificate server that is positioned at Intranet; Described filtering rule defines described client and only allows to access described ACL certificate server;
The address receiving element, for after the ACL authentication success, receive the public network IP address of the VPN (virtual private network) vpn server that is positioned at Intranet of ACL certificate server transmission;
Filtering rule is revised unit, and for the public network IP address of the vpn server according to receiving, revising the filtering rule set in advance is only to allow the described ACL certificate server of access and described vpn server;
The request transmitting unit of reaching the standard grade, for according to amended filtering rule, send to described vpn server the request of reaching the standard grade.
6. client as claimed in claim 5, is characterized in that, also comprises:
The notice that rolls off the production line transmitting element, for sending to described vpn server the notice that rolls off the production line;
Described filtering rule is revised unit, also for after rolling off the production line, amended filtering rule is reverted to the filtering rule set in advance.
7. the control method of a network access authority, is characterized in that, comprising:
After the 802.1x authentication request that the client of the remote customer dialing authentication system radius server reception Intranet user of Intranet sends, the user profile that described 802.1x authentication request is comprised is carried out the 802.1x authentication;
After the 802.1x authentication success, described radius server sends pre-stored access control list ACL certificate server IP address of internal network to described client, to described ACL certificate server, sends described user profile; And the switch in the notice Intranet is opened the port that connects client;
The described ACL certificate server of Intranet receives the ACL authentication request of carrying user profile of described client according to the filtering rule transmission of described ACL certificate server IP address of internal network setting, and the user profile sent according to described radius server, the user profile of carrying in described ACL authentication request is carried out to the ACL authentication, and described filtering rule is only to allow access ACL certificate server;
After the ACL authentication success, described ACL certificate server sends the response of ACL authentication success to described client;
The gateway that connects public network and Intranet abandons the request of the access public network of described client transmission.
8. method as claimed in claim 7, is characterized in that, described gateway is closed by the outlet of self request that realization abandons the access public network of described client transmission.
9. method as claimed in claim 7, is characterized in that, also comprises:
After described radius server receives the notice that rolls off the production line of described client transmission, the notice switch is closed the port of described connection client.
10. the control system of a network access authority, is characterized in that, comprising:
Remote customer dialing authentication system radius server, the 802.1x authentication request sent for the client that receives Intranet user, the user profile that described 802.1x authentication request is comprised is carried out the 802.1x authentication; And, after the 802.1x authentication success, send the IP address of internal network of pre-stored described ACL certificate server to described client, send described user profile to described ACL certificate server; And the switch in the notice Intranet is opened the port that connects described client;
Switch, for the notice sent according to described radius server, open the port that connects described client;
The access control list ACL certificate server, for receiving the ACL authentication request of carrying user profile of described client according to the filtering rule transmission of described ACL certificate server IP address of internal network setting, and the user profile sent according to described radius server, the user profile of carrying in described ACL authentication request is carried out to the ACL authentication, and described filtering rule is only to allow access ACL certificate server; And, after the ACL authentication success, to described client, send the response of ACL authentication success;
The gateway that connects public network and Intranet, for after the certificate server authentication success, abandon the request of the access public network of described client transmission.
11. system as claimed in claim 10, is characterized in that, described gateway is closed specifically for the outlet by self request that realization abandons the access public network of described client transmission.
12. system as claimed in claim 10, is characterized in that, described radius server also, for after the notice that rolls off the production line that receives described client transmission, notifies described switch to close the port that connects described client;
Described switch, also the notice for sending according to described radius server, close the port that connects described client.
13. the control method of a network access authority, is characterized in that, comprising:
The client of Intranet user sends the 802.1x authentication request to the remote customer dialing authentication system radius server that is positioned at Intranet;
The IP address of internal network of the access control list ACL certificate server that is positioned at Intranet that described client radius server sends after the 802.1x authentication success;
Described client, according to the IP address of internal network of the ACL certificate server received, arranges filtering rule for only allowing the described ACL certificate server of access;
Described client, according to the filtering rule arranged, sends the ACL authentication request of carrying user profile to described ACL certificate server;
Described client, after the ACL authentication success, is revised filtering rule for allowing the Internet resources of access arbitrary network or the appointment of the described ACL certificate server of permission access.
14. a client, is characterized in that, comprising:
802.1x the authentication request transmitting element, send the 802.1x authentication request for the remote customer dialing authentication system radius server to being positioned at Intranet;
The address receiving element, for receiving the IP address of internal network of the access control list ACL certificate server that is positioned at Intranet that radius server sends after the 802.1x authentication success;
The filtering rule setting unit, for the IP address of internal network of the ACL certificate server according to receiving, arrange filtering rule for only allowing the described ACL certificate server of access;
ACL authentication request transmitting element, for the filtering rule according to arranging, send the ACL authentication request of carrying user profile to described ACL certificate server;
Filtering rule is revised unit, for after the ACL authentication success, revises filtering rule for allowing the Internet resources of accessing arbitrary network or allowing the appointment of the described ACL certificate server of access.
CN 201110210433 2011-07-26 2011-07-26 Control method and system for network access authority and client Active CN102271132B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201110210433 CN102271132B (en) 2011-07-26 2011-07-26 Control method and system for network access authority and client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201110210433 CN102271132B (en) 2011-07-26 2011-07-26 Control method and system for network access authority and client

Publications (2)

Publication Number Publication Date
CN102271132A CN102271132A (en) 2011-12-07
CN102271132B true CN102271132B (en) 2013-12-25

Family

ID=45053295

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201110210433 Active CN102271132B (en) 2011-07-26 2011-07-26 Control method and system for network access authority and client

Country Status (1)

Country Link
CN (1) CN102271132B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580185B (en) * 2014-12-30 2017-12-01 北京工业大学 A kind of method and system of NS software
CN104967609B (en) * 2015-04-28 2018-11-06 腾讯科技(深圳)有限公司 Intranet exploitation server access method, apparatus and system
CN106454817B (en) * 2015-08-04 2019-07-23 普天信息技术有限公司 A kind of wlan authentication method and system, AP equipment
US10511602B2 (en) * 2016-06-02 2019-12-17 AVAST Software s.r.o. Method and system for improving network security
CN105933221A (en) * 2016-07-01 2016-09-07 北京汉格尚华科技发展有限公司 Internet reverse routing controller
CN108632223B (en) * 2017-03-23 2022-01-11 腾讯科技(深圳)有限公司 Information processing method and electronic equipment
CN107294959B (en) * 2017-06-06 2021-05-14 国家电网公司 Intranet and extranet communication method, device and system
CN109286647B (en) * 2017-07-21 2022-03-08 杭州海康威视数字技术股份有限公司 Method and device for acquiring multimedia data
CN107800603B (en) * 2017-07-31 2018-11-09 北京上和瑞科技有限公司 Intranet user accesses the method and storage medium of headend equipment based on VPN
CN107579966B (en) * 2017-08-28 2020-12-08 新华三技术有限公司 Control method, device and system for remotely accessing intranet and terminal equipment
CN107508739B (en) * 2017-09-06 2020-08-11 成都佑勤网络科技有限公司 Authentication method for transmitting data through VPN tunnel
CN109347855B (en) * 2018-11-09 2020-06-05 南京医渡云医学技术有限公司 Data access method, device, system, electronic design and computer readable medium
CN109617892B (en) * 2018-12-26 2021-12-17 北京城强科技有限公司 Intranet boundary management and control method
CN110708301B (en) * 2019-09-24 2022-06-24 贝壳找房(北京)科技有限公司 User request processing method and device, electronic equipment and storage medium
CN111191265B (en) * 2019-12-31 2022-07-08 苏州浪潮智能科技有限公司 Authority control method and device based on distributed NFS-Ganesha V4ACL
CN112363578A (en) * 2020-11-13 2021-02-12 浪潮电子信息产业股份有限公司 Server
CN113347072B (en) * 2021-06-23 2022-12-13 北京天融信网络安全技术有限公司 VPN resource access method, device, electronic equipment and medium
CN114143045A (en) * 2021-11-15 2022-03-04 酒泉钢铁(集团)有限责任公司 Method for realizing enterprise local area network unified authentication based on VPN environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534933A (en) * 2003-03-28 2004-10-06 华为技术有限公司 Safety access control method for internet protocol
CN1863195A (en) * 2005-05-13 2006-11-15 中兴通讯股份有限公司 Family network system with safety registration function and method thereof
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534933A (en) * 2003-03-28 2004-10-06 华为技术有限公司 Safety access control method for internet protocol
CN1863195A (en) * 2005-05-13 2006-11-15 中兴通讯股份有限公司 Family network system with safety registration function and method thereof
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources

Also Published As

Publication number Publication date
CN102271132A (en) 2011-12-07

Similar Documents

Publication Publication Date Title
CN102271132B (en) Control method and system for network access authority and client
US8887296B2 (en) Method and system for object-based multi-level security in a service oriented architecture
TWI545446B (en) A method and system for use with a public cloud network
US7984290B2 (en) System and method for encrypted communication
CN103220669B (en) Privately owned WLAN shares method, system, server, terminal and gateway management server
US8549613B2 (en) Reverse VPN over SSH
US20100197293A1 (en) Remote computer access authentication using a mobile device
CN104935572B (en) Multi-layer right management method and device
US8402511B2 (en) LDAPI communication across OS instances
CN102255918A (en) DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
CN108092988B (en) Non-perception authentication and authorization network system and method based on dynamic temporary password creation
CN101986598B (en) Authentication method, server and system
CN107800695A (en) File access method, device based on Samba agreements, system
KR101252787B1 (en) Security management system with multiple gateway servers and method thereof
TWI574164B (en) Private cloud routing server connection mechanism for use in a private communication architecture
CN106685785B (en) Intranet access system based on IPsec VPN proxy
CN102404346A (en) Method and system for controlling access right of internet users
RU2415466C1 (en) Method of controlling identification of users of information resources of heterogeneous computer network
CN108200039B (en) Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password
CN101087236A (en) VPN access method and device
CN102035703A (en) Family wireless network and implementation method thereof
CN101599834B (en) Method for identification and deployment and management equipment thereof
KR20120044381A (en) Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof
CN104702612B (en) A kind of user authentication process method and device
CN202309766U (en) Online service system based on activity catalog verification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant