CN102307097A - User identity authentication method and system - Google Patents
User identity authentication method and system Download PDFInfo
- Publication number
- CN102307097A CN102307097A CN201110259182A CN201110259182A CN102307097A CN 102307097 A CN102307097 A CN 102307097A CN 201110259182 A CN201110259182 A CN 201110259182A CN 201110259182 A CN201110259182 A CN 201110259182A CN 102307097 A CN102307097 A CN 102307097A
- Authority
- CN
- China
- Prior art keywords
- user
- network equipment
- authentication
- unified certification
- certification server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a user identity authentication method, which comprises the following steps of: uniformly storing and recording authentication parameters of user identity into a unified authentication server, and uniformly authenticating the legality of the user identity by using the unified authentication server when a user logs in network equipment. The invention also provides a user identity authentication system. By the user identity authentication method and the user identity authentication system, security-policy-based unified user management and authentication can be realized, the unified authentication of a plurality of pieces of network equipment over the user identity is realized and the maintenance difficulties and complexity of a network equipment manager are reduced simultaneously, thereby reducing production cost and threats to information security.
Description
Technical field
The present invention relates to a kind of information security field, specifically, relate to a kind of method for authenticating user identity and system of the network equipment.
Background technology
Along with the network of the construction of operator is increasing, the quantity of the network equipment increases sharply.At present, the user profile of various network device safeguards and all to be safeguarded separately by equipment, when when will use same user, logining each network equipment, need be on each equipment newly-built identical user.Increase sharply the today with market-oriented fast development at network, the drawback of this management mode manifests day by day, especially uses fire compartment wall in a large number at New-deployed Network, switch, and under the situation of router or the like, this drawback shows particularly outstandingly.In addition, if revise a user's access control policy, need get on to revise strategy, cause difficulty that network equipment user safeguards and loaded down with trivial details, thereby strengthened production cost, and information security has been constituted serious threat at each equipment.
So, be necessary to propose a kind of authentication method of new user identity, need import different ciphers to solve same user the login distinct device time, network device management person need be on each equipment newly-built same user's technical problem.
Summary of the invention
The object of the present invention is to provide a kind of method for authenticating user identity and system; Can realize unified user management and authentication based on security strategy; When realizing that multiple network equipment to user identity carries out unified certification to user identity; It is difficult in maintenance and loaded down with trivial details to alleviate network device management person, thereby reduces production costs and information security threats.
For solving above technical problem; The present invention provides a kind of method of authenticating user identification; The parameters for authentication of user identity is unified put in the unified certification server, when user's logging in network equipment, by the legitimacy of unified certification server unified certification user identity.
Further, specifically comprise like verification process:
The network equipment sends to the unified certification server with the authentication request parameter of user identity;
The unified certification server is compared the authentication request parameter with the record in being stored in the unified certification server, if the consistent of a record and user input arranged, and authentication success then, otherwise failure.
Further, the parameters for authentication of said user identity comprises username and password.
For solving above technical problem, the present invention provides a kind of method of authenticating user identification, comprising:
When step 1, customer access network equipment, the network equipment sends to the unified certification server with the authentication request parameter;
Step 2, unified certification server receive the authentication request parameter, the user is carried out authentication, and the authentication result parameter is sent to the network equipment;
Step 3, the network equipment are according to the authentication result parameter that receives, and whether decision allows customer access network equipment.
Further, said step 1 specifically comprises:
Step 1.1, the network equipment receive the authentication request parameter of calling party input;
Step 1.2, the network equipment carry out protocol encapsulation and conversion to the authentication request parameter;
After step 1.3, protocol conversion are accomplished, the authentication request parameter is sent to the unified certification server.
Further, said step 2 specifically comprises:
Step 2.1, unified certification server receive the authentication request parameter;
Step 2.2, unified certification server lookup and the authentication request parameter of relatively obtaining obtain the authentication result parameter;
Step 2.3, unified certification server send to the network equipment with the authentication result parameter.
Further, said step 2.2 specifically comprises: the unified certification server is compared the authentication request parameter with the record in being stored in the unified certification server, if the consistent of a record and user input arranged, and authentication success then, otherwise failure.
Further, said step 3 specifically comprises: when the authentication result parameter showed certainly, the expression user was a validated user, allowed customer access network equipment; When the demonstration of authentication result parameter was negated, the expression user was the disabled user, refusing user's accesses network equipment.
Further, the parameters for authentication of said user identity comprises username and password.
For solving above technical problem, the present invention provides a kind of authenticating user identification system, comprises the network equipment and unified certification server,
The said network equipment is used to receive the authentication request parameter of user's input, and sends to the unified certification server;
Said unified certification server is used for the unified record of depositing the parameters for authentication that contains user identity, and unified certification logins the user's of the said network equipment legitimacy, and the authentication result parameter is sent to the network equipment.
Further, the said network equipment uses LDAP or radius protocol to communicate by letter with the unified certification server.
Compared with prior art; A kind of method for authenticating user identity provided by the invention and system; Adopt the unification of unified certification server to deposit the user identity number of the account; Realization is based on the unified user management and the authentication of security strategy; Realization is carried out unified certification to the multiple network equipment of user identity to user identity; Make same user need not import different ciphers during distinct device in login, and make network device management person need be on each equipment newly-built same user's problem; Make network device management person only need in certificate server, revise a user's access control policy simultaneously and need not get on to revise strategy at each equipment; It is difficult in maintenance and loaded down with trivial details to alleviate network device management person, thereby reduces production costs and information security threats.In addition, authentication protocol comprises the agreement of LDAP and RADIUS, realizes the centralized management to network, has strengthened the flexibility of multiple network equipment to the variation of market and demand.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes a part of the present invention, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, does not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of a kind of method for authenticating user identity provided by the invention;
Fig. 2 is the structural representation of a kind of authenticating user identification provided by the invention system;
Fig. 3 is the flow chart of a kind of method for authenticating user identity of providing of the embodiment of the invention.
Embodiment
In order to make technical problem to be solved by this invention, technical scheme and beneficial effect clearer, clear,, the present invention is further elaborated below in conjunction with accompanying drawing and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
The present invention provides a kind of method of authenticating user identification, and parameters for authentication such as user name, the password etc. of user identity are unified puts in the unified certification server, when user's logging in network equipment, and unified certification user's legitimacy.This method comprises:
When step 1, customer access network equipment, the network equipment sends to the unified certification server with the authentication request parameter; Specifically comprise:
Step 1.1, the network equipment receive the authentication request parameters such as username and password of calling party input;
Step 1.2, the network equipment carry out protocol encapsulation and conversion to the authentication request parameter;
Wherein, Said protocol encapsulation adopts LDAP (Lightweight Directory Access Protocol; Light Directory Access Protocol) or RADIUS (Remote Authentication Dial In User Service, remote customer dialing authentication system) agreement.
After step 1.3, protocol conversion are accomplished, the authentication request parameter is sent to the unified certification server;
Step 2, unified certification server receive the authentication request parameter, the user is carried out authentication, and the authentication result parameter is sent to the network equipment; Specifically comprise:
Step 2.1, unified certification server get access to parameters such as username and password according to receiving the authentication request parameter;
Whether step 2.2, unified certification server lookup and comparison username and password be legal, obtains the authentication result parameter; Specifically comprise:
The unified certification server is according to the username and password password that obtains after unpacking; Compare with the identity record that is stored in the unified certification server ldap directory; If the consistent of a record and user input arranged; Authentication success then; An identity record among user login person and the LDAP is complementary; Otherwise failure obtains the authentication result parameter in view of the above.
Step 2.3, unified certification server send to the network equipment with the authentication result parameter;
Step 3, the network equipment are according to the authentication result parameter that receives, and whether decision allows customer access network equipment.When the demonstration of authentication result parameter was legal certainly, the expression user was a validated user, allows customer access network equipment; When the demonstration of authentication result parameter was negated, the expression user was the disabled user, refusing user's accesses network equipment.
As shown in Figure 2, the present invention also provides a kind of authenticating user identification system, and this system comprises the network equipment 100 and unified certification server 200, wherein,
The network equipment 100 is used to receive the authentication request parameter of user's input, and sends to unified certification server 200;
To combine embodiment to describe execution mode of the present invention in detail below, how the application technology means solve technical problem to the present invention whereby, and the implementation procedure of reaching technique effect can make much of and implement according to this.
As shown in Figure 3, the present invention provides a kind of method of authenticating user identification, comprising:
Step 10: the user imports authentication request parameters such as username and password; The network equipment receives the authentication request parameter of user's input; And adopt LDAP or RADIUS to carry out protocol encapsulation and conversion to the authentication request parameter; Protocol conversion sends to the unified certification server to the authentication request parameter after accomplishing;
Step 20: the unified certification server receives the authentication request parameter, and parameter comprises username and password;
Step 30: the unified certification server mates verification to username and password and the user's set that is stored in the unified certification server ldap directory; If the consistent of a record and user input arranged; Authentication success then; An identity record among user login person and the LDAP is complementary; Otherwise failure obtains the authentication result parameter in view of the above.
Step 40: the unified certification server sends to the network equipment to the authentication result parameter;
Step 50: the network equipment obtains the authentication result parameter of unified certification server, and the authentication result parameter is analyzed; If the authentication result parameter identification is to login successfully, just allows this equipment of user capture, otherwise just do not allow the initial condition when returning user's logging device.
Wherein, the agreement of the network equipment and unified certification server communication is used LDAP or RADIUS.
1) ldap protocol mode
Use the ldap authentication mode; The username and password password is to store in the ldap directory of unified certification server appointment; When the user logins; The username and password password of user's input is compared with the record in the ldap directory; If the consistent of a record and user input arranged; Authentication success then, user login person is complementary with a identity record among the LDAP, otherwise failure.
2) radius protocol mode
Use the RADIUS authentication mode; The network equipment is packaged into the radius protocol bag to the authentication request parameter; Send to the unified certification server; The unified certification server unpacks back transmission username and password password voluntarily and compares with the record in being stored in unified certification server ldap directory; If the consistent of a record and user input arranged; Authentication success then, user login person is complementary with a identity record among the LDAP, otherwise failure.
A kind of method for authenticating user identity provided by the invention and system; Relate to and set up the operator; The authentification of user center of the middle large enterprises level network equipment; Network equipment unified identity authentication; Realization is based on the unified user management and the authentication of security strategy; Adopt the unification of unified certification server to deposit the user identity number of the account; Realization is carried out unified certification to the multiple network equipment of user identity to user identity; Make same user need not import different ciphers during distinct device in login, and make network device management person need be on each equipment newly-built same user's problem; Make network device management person only need in certificate server, revise a user's access control policy simultaneously and need not get on to revise strategy at each equipment; It is difficult in maintenance and loaded down with trivial details to alleviate network device management person, thereby reduces production costs and information security threats.In addition, authentication protocol comprises the agreement of LDAP and RADIUS, realizes the centralized management to network, has strengthened the flexibility of multiple network equipment to the variation of market and demand.
Above-mentioned explanation illustrates and has described a preferred embodiment of the present invention; But as previously mentioned; Be to be understood that the present invention is not limited to the form that this paper discloses; Should not regard eliminating as to other embodiment; And can be used for various other combinations, modification and environment; And can in invention contemplated scope described herein, change through the technology or the knowledge of above-mentioned instruction or association area.And change that those skilled in the art carried out and variation do not break away from the spirit and scope of the present invention, then all should be in the protection range of accompanying claims of the present invention.
Claims (11)
1. the method for an authenticating user identification is characterized in that, the parameters for authentication of user identity is unified put in the unified certification server, when user's logging in network equipment, by the legitimacy of unified certification server unified certification user identity.
2. the method for claim 1 is characterized in that, verification process specifically comprises:
The network equipment sends to the unified certification server with the authentication request parameter of user identity;
The unified certification server is compared the authentication request parameter with the record in being stored in the unified certification server, if the consistent of a record and user input arranged, and authentication success then, otherwise failure.
3. method as claimed in claim 1 or 2 is characterized in that the parameters for authentication of said user identity comprises username and password.
4. the method for an authenticating user identification is characterized in that, comprising:
When step 1, customer access network equipment, the network equipment sends to the unified certification server with the authentication request parameter;
Step 2, unified certification server receive the authentication request parameter, the user is carried out authentication, and the authentication result parameter is sent to the network equipment;
Step 3, the network equipment are according to the authentication result parameter that receives, and whether decision allows customer access network equipment.
5. method as claimed in claim 4 is characterized in that, said step 1 specifically comprises:
Step 1.1, the network equipment receive the authentication request parameter of calling party input;
Step 1.2, the network equipment carry out protocol encapsulation and conversion to the authentication request parameter;
After step 1.3, protocol conversion are accomplished, the authentication request parameter is sent to the unified certification server.
6. method as claimed in claim 4 is characterized in that, said step 2 specifically comprises:
Step 2.1, unified certification server receive the authentication request parameter;
Step 2.2, unified certification server lookup and the authentication request parameter of relatively obtaining obtain the authentication result parameter;
Step 2.3, unified certification server send to the network equipment with the authentication result parameter.
7. method as claimed in claim 4; It is characterized in that said step 2.2 specifically comprises: the unified certification server is compared the authentication request parameter with the record in being stored in the unified certification server, if the consistent of a record and user input arranged; Authentication success then, otherwise failure.
8. method as claimed in claim 4 is characterized in that, said step 3 specifically comprises: when the authentication result parameter showed certainly, the expression user was a validated user, allowed customer access network equipment; When the demonstration of authentication result parameter was negated, the expression user was the disabled user, refusing user's accesses network equipment.
9. like the arbitrary described method of claim 4 to 8, it is characterized in that the parameters for authentication of said user identity comprises username and password.
10. an authenticating user identification system is characterized in that, comprises the network equipment and unified certification server,
The said network equipment is used to receive the authentication request parameter of user's input, and sends to the unified certification server;
Said unified certification server is used for the unified record of depositing the parameters for authentication that contains user identity, and unified certification logins the user's of the said network equipment legitimacy, and the authentication result parameter is sent to the network equipment.
11. system as claimed in claim 10 is characterized in that, the said network equipment uses LDAP or radius protocol to communicate by letter with the unified certification server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110259182A CN102307097A (en) | 2011-09-02 | 2011-09-02 | User identity authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110259182A CN102307097A (en) | 2011-09-02 | 2011-09-02 | User identity authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102307097A true CN102307097A (en) | 2012-01-04 |
Family
ID=45380912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110259182A Pending CN102307097A (en) | 2011-09-02 | 2011-09-02 | User identity authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102307097A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158879A (en) * | 2014-08-18 | 2014-11-19 | 浪潮(北京)电子信息产业有限公司 | Cloud management platform architecture system and method for distributed data center |
| CN104348790A (en) * | 2013-07-30 | 2015-02-11 | 华耀(中国)科技有限公司 | Method and system for realizing custom configuration of AAA (Authentication, Authorization and Accounting) framework |
| CN106330866A (en) * | 2016-08-12 | 2017-01-11 | 浪潮(北京)电子信息产业有限公司 | Centralized router authentication system and method |
| CN107124390A (en) * | 2016-02-25 | 2017-09-01 | 阿里巴巴集团控股有限公司 | Prevention-Security, implementation method, the apparatus and system of computing device |
| WO2017219856A1 (en) * | 2016-06-23 | 2017-12-28 | 中兴通讯股份有限公司 | Circuit verification processing method and system, controller, and computer storage medium |
| CN107846408A (en) * | 2017-11-17 | 2018-03-27 | 北京汉王智远科技有限公司 | Identity authorization system and method based on cloud platform |
| CN107888668A (en) * | 2017-10-31 | 2018-04-06 | 合肥天鹰高科技有限公司 | One kind enterprise letter platform equipment managing method |
| CN109088879A (en) * | 2018-09-07 | 2018-12-25 | 郑州云海信息技术有限公司 | LDAP domain server authentication interface implementation method outside distributed memory system |
| US10412585B2 (en) | 2015-09-28 | 2019-09-10 | Guangdong Oppo Mobile Telecommunicaions Corp., Ltd. | User identity authentication method and device |
| CN110417769A (en) * | 2019-07-24 | 2019-11-05 | 孙洪亮 | A kind of industry internet platform Multi Identity Attestation method |
| US10798570B2 (en) | 2015-09-25 | 2020-10-06 | Gunagdong Oppo Mobile Telecommunications Corp. Ltd. | Terminal authentication method and device |
| CN113114464A (en) * | 2020-01-13 | 2021-07-13 | 中国移动通信集团重庆有限公司 | Unified security management system and identity authentication method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1352429A (en) * | 2001-11-29 | 2002-06-05 | 上海复旦光华信息科技股份有限公司 | Centralized domain user authorization and management system |
| CN101170409A (en) * | 2006-10-24 | 2008-04-30 | 华为技术有限公司 | Method, system, service device and certification server for realizing device access control |
| WO2010149030A1 (en) * | 2009-06-23 | 2010-12-29 | 中兴通讯股份有限公司 | Centralized authentication method and system |
-
2011
- 2011-09-02 CN CN201110259182A patent/CN102307097A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1352429A (en) * | 2001-11-29 | 2002-06-05 | 上海复旦光华信息科技股份有限公司 | Centralized domain user authorization and management system |
| CN101170409A (en) * | 2006-10-24 | 2008-04-30 | 华为技术有限公司 | Method, system, service device and certification server for realizing device access control |
| WO2010149030A1 (en) * | 2009-06-23 | 2010-12-29 | 中兴通讯股份有限公司 | Centralized authentication method and system |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348790A (en) * | 2013-07-30 | 2015-02-11 | 华耀(中国)科技有限公司 | Method and system for realizing custom configuration of AAA (Authentication, Authorization and Accounting) framework |
| CN104158879A (en) * | 2014-08-18 | 2014-11-19 | 浪潮(北京)电子信息产业有限公司 | Cloud management platform architecture system and method for distributed data center |
| CN104158879B (en) * | 2014-08-18 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of distributive data center cloud management platform architecture system and method |
| US10798570B2 (en) | 2015-09-25 | 2020-10-06 | Gunagdong Oppo Mobile Telecommunications Corp. Ltd. | Terminal authentication method and device |
| US10412585B2 (en) | 2015-09-28 | 2019-09-10 | Guangdong Oppo Mobile Telecommunicaions Corp., Ltd. | User identity authentication method and device |
| CN107124390B (en) * | 2016-02-25 | 2021-05-04 | 阿里巴巴集团控股有限公司 | Security defense and implementation method, device and system of computing equipment |
| CN107124390A (en) * | 2016-02-25 | 2017-09-01 | 阿里巴巴集团控股有限公司 | Prevention-Security, implementation method, the apparatus and system of computing device |
| WO2017219856A1 (en) * | 2016-06-23 | 2017-12-28 | 中兴通讯股份有限公司 | Circuit verification processing method and system, controller, and computer storage medium |
| CN107547467A (en) * | 2016-06-23 | 2018-01-05 | 中兴通讯股份有限公司 | A kind of circuit authentication method, system and controller |
| CN107547467B (en) * | 2016-06-23 | 2021-09-24 | 中兴通讯股份有限公司 | Circuit authentication processing method, system and controller |
| CN106330866A (en) * | 2016-08-12 | 2017-01-11 | 浪潮(北京)电子信息产业有限公司 | Centralized router authentication system and method |
| CN107888668A (en) * | 2017-10-31 | 2018-04-06 | 合肥天鹰高科技有限公司 | One kind enterprise letter platform equipment managing method |
| CN107846408A (en) * | 2017-11-17 | 2018-03-27 | 北京汉王智远科技有限公司 | Identity authorization system and method based on cloud platform |
| CN109088879A (en) * | 2018-09-07 | 2018-12-25 | 郑州云海信息技术有限公司 | LDAP domain server authentication interface implementation method outside distributed memory system |
| CN109088879B (en) * | 2018-09-07 | 2021-05-11 | 郑州云海信息技术有限公司 | Method for realizing authentication interface of external LDAP domain server of distributed storage system |
| CN110417769A (en) * | 2019-07-24 | 2019-11-05 | 孙洪亮 | A kind of industry internet platform Multi Identity Attestation method |
| CN113114464A (en) * | 2020-01-13 | 2021-07-13 | 中国移动通信集团重庆有限公司 | Unified security management system and identity authentication method |
| CN113114464B (en) * | 2020-01-13 | 2023-10-27 | 中国移动通信集团重庆有限公司 | Unified security management system and identity authentication method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102307097A (en) | User identity authentication method and system | |
| US11057393B2 (en) | Microservice architecture for identity and access management | |
| CN105578461B (en) | Communication, communication access/call-out method, apparatus and system are established between mobile terminal | |
| CN105247529B (en) | The synchronous voucher hash between directory service | |
| CA2868896C (en) | Secure mobile framework | |
| CN105027493B (en) | Safety moving application connection bus | |
| CN103001999B (en) | For privately owned Cloud Server, intelligent apparatus client and the method for public cloud network | |
| CN104753887B (en) | Security management and control implementation method, system and cloud desktop system | |
| CN107181720B (en) | Software Defined Networking (SDN) secure communication method and device | |
| CN107493280A (en) | Method, intelligent gateway and the certificate server of user authentication | |
| CN111147526B (en) | Security authentication method for realizing multi-cloud control across public network | |
| CN101183940A (en) | Method for multi-application system to perform authentication to user identification | |
| JP2007535193A (en) | Peer-to-peer telephone system and method | |
| JP2010527076A (en) | Network element management method and apparatus using USB key | |
| CN101931613A (en) | Centralized authenticating method and centralized authenticating system | |
| CN105681030B (en) | key management system, method and device | |
| US8942673B2 (en) | Method and apparatus for providing cellphone service from any device | |
| CN106161361B (en) | A kind of access method and device of cross-domain resource | |
| CN108833363A (en) | A kind of block chain right management method and system | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| Kravets et al. | Mobile security solution for enterprise network | |
| CN103684793A (en) | Method for enhancing communication security of power distribution network based on trusted computing | |
| CN104767621A (en) | Single-point security certification method for having access to enterprise data through mobile application | |
| US20130086634A1 (en) | Grouping Multiple Network Addresses of a Subscriber into a Single Communication Session | |
| CN106301791B (en) | A kind of realization method and system of the unifying user authentication authorization based on big data platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Wu Zhenyu Document name: Notification of Passing Examination on Formalities |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120104 |