CN107404485B

CN107404485B - Self-verification cloud connection method and system thereof

Info

Publication number: CN107404485B
Application number: CN201710652299.2A
Authority: CN
Inventors: 牛增辉; 刘大光; 袁楠
Original assignee: Beijing Tianxiang Ruiyi Technology Co ltd
Current assignee: Beijing Tianxiang Ruiyi Technology Co ltd
Priority date: 2017-08-02
Filing date: 2017-08-02
Publication date: 2023-11-07
Anticipated expiration: 2037-08-02
Also published as: CN107404485A

Abstract

A method of self-verifying cloud connectivity, the method comprising the steps of: the client is connected to the Internet through an intelligent gateway, and a communication channel is established between the client and a third party server through the Internet; the client sends an access request to a third party server; the third party server sends out a verification request after receiving the access request; after receiving the verification request, the intelligent gateway verifies with the third party server; and the third-party server passes the verification, and the client access is successful. Aiming at the defects and defects in the prior art, the invention provides the integrated device which is convenient, quick and low-cost and uses cloud resources through one-key login, cloud identity recognition and authentication service is added by utilizing the existing cloud AC and cloud network, the cloud user experience of a user is further improved, the control modes of the cloud network structure and the authentication service are optimized, the stable operation of the cloud service and the wireless network is ensured, and the device which automatically connects cloud computing resources is popularized and applied in a high-speed wireless network environment.

Description

Self-verification cloud connection method and system thereof

Technical Field

The invention belongs to the technical field of network platform connection verification, and particularly relates to a self-verification cloud connection method and a system thereof.

Background

Currently, users are working more and more popular in wireless network environments. The wireless network provides WiFi signals through a wireless Access Point (AP), a user needs to log in through equipment such as a notebook, a mobile phone and a desktop computer, and meanwhile, the user also logs in through cloud service or application software.

The background technology related to the invention comprises: wiFi, cloud network, portal authentication, directory service, single sign-on, identity protocol, saaS/PaaS/IaS, cloud network and Internet of things

At present, almost all smart phones, notebook computers and even internet of things devices support WiFi surfing, and WiFi is the most widely used wireless network transmission technology nowadays. WiFi is a technology that allows electronic devices to connect to a Wireless Local Area Network (WLAN), typically using either the 2.4G or 5G radio frequency bands. The connection to the wireless local area network is typically password protected; but may be open allowing any device within WLAN range to connect to.

WiFi is actually converting a wired network signal into a wireless signal, and the transmission speed can reach 54 Mbps-500 Mbps bandwidth, so that the speed is high. The WiFi has the main advantages of no need of wiring and no limitation of wiring conditions, thus being very suitable for the needs of mobile office users, and being relatively safest and healthy in surfing the Internet due to low power and small radiation of the transmitted signal power being lower than 100 mw.

An AP is an Access Point abbreviation, and is generally translated into a "wireless Access Point", or "bridge". It acts as a bridge between the wireless device and the wired lan in the access control layer. The basic equipment for installing the wireless network is a wireless network card and an AP, so that the wireless network can share network resources by matching with the existing wired architecture in a wireless mode, and the installation cost and complexity are far lower than those of the traditional wired network. With an AP, a wireless device can quickly and easily connect to a network, just like a Hub of a typical wired network. Especially for broadband use, wiFi is more advantageous, and in theory, 802.11ac can provide up to 1Gbps bandwidth for multi-drop wireless lan communication, or up to 500Mbps of single connection transmission bandwidth. At present, a wireless access point generally provides a flexible expansion interface of the Internet of things, and can expand various standard Internet of things modules, including RFID, zigBee and Bluetooth 4.0 modules.

APs fall into two categories: FAT AP (FAT AP) and FIT AP (thin AP), currently large-scale networking is generally performed by thin AP networking.

Fat APs themselves assume complex functions such as user authentication, roaming handoff, user data encryption, qoS, network management, etc., and the AP is relatively heavy and is therefore called fat AP. It is almost the same as the current wireless router, and is usually used by a single network, not only providing wireless access, but also providing various functions such as DHCP, routing, PPPoE, etc. The disadvantage is that the centralized management is difficult in case of large network scale. Fat APs often employ open source operating systems such as OPENWRT (or DDWRT), while developing various applications on cloud platforms.

The thin AP is provided with a newly-added wireless controller (AC) as central centralized control management equipment, the complex functions of user authentication, roaming switching, dynamic keys and the like which are originally carried on the FatAP are transferred to the wireless controller, the AP and the AC are communicated in a tunnel mode, and can be connected across L2 and L3 networks and even wide area networks, so that the working efficiency of the whole network is greatly improved. But such an AP cannot be used alone, it must cooperate with the AC to be used and generally does not require configuration, the AP will automatically find the AC and then download the device configuration file from the AC. This mechanism is particularly important when there are hundreds or thousands of APs in the network, which greatly reduces the difficulty of operation and maintenance. The disadvantage of this thin ap+ac architecture is that the AC and AP often need to communicate across a wide area network, consume more link bandwidth and guarantee low latency, and at the same time, problems such as slow user authentication and low roaming performance may occur.

AC, wireless controller, access Controller. An AC is a device used to manage, configure, and assume wireless user data forwarding for an AP. The common form is a box type device, and also has a very high-end card inserting form AC, which is inserted into a rack type device. One AC may manage as little as a few, up to thousands of APs.

Cloud AC technology

The AC may also be in software form and deployed at the cloud end, so long as the network between the AC and the AP is kept reachable. Cloud AC is a Network Function Virtualization (NFV) method. In conventional wireless network architectures, APs are often used with ACs. In practice, however, AC is not a necessary network device in the 802.11 protocol, but is a complement to the 802.11 protocol. The cloud AC is used for replacing the traditional AC, so that not only is the cost saved, but also the equipment can be managed and maintained in a centralized manner. Because of the AC "softening", the functionality of the AC can be concentrated into a very powerful cloud, so that cloud AC can share the "resilience" of cloud computing, including high availability and extensibility. For example, after a problem occurs in one of the ACs, the remaining ACs based on PaaS can take over, so that the stability and reliability of the whole system can be ensured; the performance may be extended laterally or longitudinally (Scale up/Scale out) when insufficient. The AP may also "move" independently of the specific deployment location, and the AP may accept cloud AC management in a network reachable environment as long as the appropriate configuration files are downloaded. The traditional hardware AC adopts a tight coupling mode for AP management, and is more suitable for managing a large number of APs in a local area network; the cloud AC is weakly coupled with the AP, and a lightweight interactive mode is better suitable for AP centralized management across the Internet and a wide area network.

In the cloud AC environment, the AP may be regarded as a networked antenna, and automatically adjusts wireless parameters to an optimal state according to the environment, such as channel scanning, packet-by-packet power adjustment, local data forwarding, and the like, and updates the configuration to the cloud AC. All cloud APs are automatically converged into a wireless network covering the whole area environment.

AP authentication, BRAS authentication, AC authentication and GW authentication in the WiFi network.

(1) AP authentication

AP authentication is the most common networking approach for commercial WiFi for small and medium merchants. At this time, because the AP device is disposed below the dial-up router of the merchant, some of the AP devices dial up directly, but the IP address is DHCP, so the platform cannot PING to access the AP, and to implement the Portal authentication service, the AP device must join the domain name or the IP address of the platform, and the AP actively communicates with the platform based on the agreed protocol. In fat AP mode, the dominant protocol is the wifi protocol. In this mode, after a new user is authenticated successfully, information is stored in the AP device and the cloud platform, so that when the user is authenticated successfully under one AP, the user can not access the internet and needs to re-authenticate after switching to another AP of the same merchant, which is one of the root causes that fat APs are generally used only in small scenes and cannot perform non-perceived roaming.

(2) BRAS authentication

BRAS authentication is a mainstream authentication method of WLAN networks of some operators. In this authentication mode, portal/Radius signaling interaction is performed between the BRAS device and the operation platform, and the identification of the AP is based on PVLAN/CVLAN information configured on the BRAS. Currently BRAS authentication methods are rarely used in commercial WiFi of non-telecom operators. In this mode, after a new user is authenticated successfully, information is stored in the BRAS device and the cloud platform, so that no perceived roaming is required as long as the user switches between APs under the same BRAS.

(3) Gateway authentication

When gateway authentication is used for fat AP networking, the problem of non-perception switching of fat AP networking across APs can be solved, so that the gateway authentication can be applied to places which are sensitive to cost and have larger continuous coverage areas. Meanwhile, the gateway authentication can be used in some old environments, and the gateway is added at the upper network outlet of the wireless router without replacing the former equipment, so that the WiFi transformation of the whole place can be realized, and the functions of commercial WiFi such as Portal pushing, radius authentication, short message/WeChat authentication, advertisement publishing and operation, customer analysis and the like are supported. In this mode, after a new user is authenticated successfully, information is stored on the GW device and the cloud platform, so that no roaming is perceived as long as the user switches between APs under the same GW.

(4) AC authentication

The AC authentication is another mainstream authentication mode of the WLAN network, is a network authentication mode used by some operators, and is also a mainstream authentication mode of all large-scale commercial WiFi networks which are networked by using an AC+thin AP mode. Compared with the BRAS authentication mode, the AC authentication mode is simpler to network, and is easier to realize for operators without BRAS resources. On the other hand, portal/Radius signaling interaction between the AC and the operation platform can also carry out parameter transmission based on the MAC and the SSID, thereby realizing personalized Portal push from the minimum granularity to the AP. In this mode, after a new user is authenticated successfully, information is stored on the AC device and the backend platform, so as long as the user switches between APs under the same set of AC, no perceived roaming is performed. For cloud AC, the number and scope of management APs is greatly expanded.

Portal authentication

When the user accesses the network, the user is required to input a user name and a password, and the network can be accessed after the authentication is successful. In the authentication process, the user needs to visit a website called Portal. Portal is the meaning of English entry. Portal authentication is also commonly referred to as Web authentication, and Portal authentication websites are commonly referred to as portals.

Flow of authentication before user use WiFi:

specifically, when an unauthorized user logs on to the internet, the device forces the user to log on to a specific site, authentication is completed on the site, and internet resources can be used only after the authentication is passed. The user can actively access the known Portal authentication website, input a user name and a password for authentication, and the mode of starting the Portal authentication is called active authentication. Conversely, if the user attempts to access the external network through the browser, the user will be forced to access the Portal authentication site, thereby initiating the Portal authentication process, in a manner known as forced authentication. The user can finish authentication on Portal through biological recognition modes such as account passwords, mobile phone short messages, special authentication equipment or fingerprints. Currently, according to relevant national regulations, public place WiFi surfing must be authenticated by real names, which includes various modes such as authentication by using mobile phones and short message verification codes, weChat authentication and the like.

After Portal authentication is completed, a navigation page is displayed as a welcome page by a general Portal, so that a user can conveniently surf the Internet. This welcome page is typically customizable, and may be a navigation page, an advertisement page, a use hint page, or the like.

Portal authentication where the security policy server, although present in most Portal, is not an essential option. The authentication server is an optional component, but the billing service is not an optional component.

1. Authentication client

The client system installed in the user terminal is a browser running HTTP/HTTPs protocol or a device running Portal client software, which may be a smart phone, a notebook computer, a desktop computer, or even an IoT internet of things device. The security detection of the access terminal is accomplished through the information exchange between the Portal client and the security policy server.

2. Access device

The broadband access equipment such as the access point, the access controller, the switch, the router and the like is generally called, and has three main functions:

all HTTP requests from the user are redirected to the Portal server prior to authentication.

And in the authentication process, the authentication server interacts with a Portal server, a security policy server and an authentication/charging server to complete the functions of identity authentication/security authentication/charging.

After passing the authentication, the user is allowed to access the internet resource authorized by the administrator. The billing service is not necessarily optional if only the user is controlled to access the internet and authentication.

Portal server

And the server system for receiving the Portal client authentication request provides a free Portal service and a Web authentication-based interface, and interacts authentication information of the authentication client with the access equipment.

4. Authentication/billing server

And interacting with the access equipment to finish authentication and charging of the user.

5. Security policy server

And interacting with the Portal client and the access equipment to complete the security authentication and authorization of the user. The interaction process of the five basic elements is as follows:

(1) When an unauthorized user accesses the network, an internet address is input in the address bar of the Web browser, and then the HTTP request is redirected to the Web authentication homepage of the Portal server when passing through the access device (AC wireless controller in WiFi).

(2) The user inputs authentication information in the authentication homepage/authentication dialog box and submits the authentication information, and the Portal server transmits the authentication information of the user to the access equipment; (3) Then the access equipment communicates with an authentication/charging server to authenticate and charge; (4) After the authentication is passed, if a security policy is not adopted for the user, the access device opens a path between the user and the Internet to allow the user to access the Internet; if the security policy is adopted for the user, the client and the access equipment interact with the security policy server, and after the security detection of the user is passed, the security policy server authorizes the user to access the unrestricted resource according to the security of the user. Typically, after a user logs in to be allowed to access the internet, the user also needs to enter an account number and a password of the application to log in. Single sign-on techniques are involved if a user logs into multiple systems using a set of account passwords.

SaaS/PaaS/IaaS

SaaS: infrastructure as a service, an operator runs applications on a cloud computing infrastructure, which users can access through a browser interface on various devices. The consumer does not need to manage or control any cloud computing infrastructure, including networks, servers, operating systems, storage, etc.;

PaaS: the platform is a service that deploys applications developed or purchased by customers using provided development languages and tools (e.g., java, PHP, python,. Net, etc.) onto the cloud computing infrastructure of the vendor. The client does not need to manage or control the underlying cloud infrastructure, including networks, servers, operating systems, storage, etc., but the client can control the deployed application programs, and possibly the managed environment configuration of the running application programs;

IaaS: infrastructure as a service is the utilization of all computing infrastructure, including processing CPUs, memory, storage, networks, and other basic computing resources, and users can deploy and run arbitrary software, including operating systems and application programs. The consumer does not manage or control any cloud computing infrastructure, but can control the selection of operating systems, storage space, deployed applications, and possibly limited control of network components (e.g., routers, firewalls, load balancers, etc.).

Meanwhile, as companies adopt more and more cloud computing technologies, applications based on SaaS enter the office environment of the enterprise in large numbers, and users expect to use as few accounts as possible, preferably single sign-on singken functions, to log into these applications. This means that a user can log into the network using a single internet account, i.e. can access cloud enterprise applications, email. The management of countless account passwords, the clear of which cloud environment and which system uses which password, the difficulty for users is very large, and password forgetting and password sharing often bring unknown risks. If the user only needs to realize once, the user can reuse the device at the later time, and thus authentication and audit are simplified. This approach is called single sign on.

Single Sign On (SSO) is an important service that most large enterprises offer to their users (employees, partners, clients). In the era of increasingly stringent information security regulations, the use of SSO technology has enabled companies to implement access control policies across multiple applications in a consistent manner, which reduces the overall cost of implementation. The administrator does not have to set password policies for various systems, which may include, but are not limited to, password length, password complexity, password use duration, reuse of previous passwords, etc., so that the work of the administrator is simplified, and the user experience is improved while the security is also improved.

The disadvantages of the prior art are summarised as follows:

1. the user manages a plurality of accounts and passwords, and logs in a third-party web application by using the accounts, so that the user experience is poor;

2. the user account password authorizes the third party application, the time and the range are difficult to control, and potential safety hazards exist;

3. authentication of the network device and the software application cannot be integrated, and a user needs to log in the network and a plurality of applications respectively;

4. the access authentication and authorization of the AP are oriented to the local area network, and the cloud application cannot be communicated. Therefore, the single sign-on needs to be expanded from the AP to the cloud at present, so that the user can truly face to one-time sign-on of the Internet, and not only can access the network, but also various cloud services can be used.

The prior art scheme mainly comprises three types of authentication, namely service, cloud AC authentication scheme and cloud network.

1. AaaS, authentication as a service

Each large enterprise software provider may offer some part of the technology or product in this area. The top level solution in this field includesSecurity Access Manager for Enterprise Single Sign-On, CA SiteMinder and Oracle Access Management. The open source scheme mainly includes CAS, openAM, okta, directAxs and Ping Identity.

Each of the above mentioned products comes with its own agents that must be installed on the Web server and application server for which you try to protect and enable SSO applications. Generally, you will have a large percentage of agents for the main operating system, web server software, and application server software. The proxy acts to intercept a login request to an application and then pass the request to the SSO server to make decisions.

CAS (Central Authentication Service) is an open source project initiated by Yale university, many of which employ CAS for open source building Web SSO. CAS is a relatively simple and sufficiently secure SSO option.

The CAS Client is responsible for deployment at the Client (referred to as a Web application), and in principle, the deployment of the CAS Client means that there is an access request to the protected resource of the local Web application, and identity authentication is required for the requester, and the Web application does not accept any credenals such as username and password, but redirects to the CAS Server for authentication.

Currently, CAS clients support a very large number of clients, including Java, net, ISAPI, PHP, perl, ruby, VBScript, etc., and CAS protocols can be adapted to Client applications written in virtually any language.

Okta, directAxs, azure AD, AWS IAM, etc. are essentially a "cloud connector" that can integrate a large number of software applications used by a company and its staff. The method is mainly oriented to cloud computing scenes, and single sign-on is realized across applications based on standard protocols such as OAuth2.0 and OpenID.

The Okta software allows the customer's staff to conveniently use a single, secured account number to log in to various network services that they need to use in their work, or for contractors, partners and customers. When an employee enters or leaves an enterprise, software can be used to quickly open or cancel the employee's rights to access applications and web services.

The AWS directory service allows users to provide a user directory, add team members, add machines to the domain, implement Kerberos single sign-on, and apply Group Policy. The AWS directory service can also extend an existing Active Directory (AD) into the cloud, integrating with the IAM. This approach may enable a user associated with a directory to single sign-on to the AWS management console either directly or through an existing AD server.

The domestic manufacturer related to cloud single sign-on is the Paira software, and the product ParaSecure Cloud SSO realizes the single sign-on of the SaaS application. User access to all SaaS applications authentication is done on ParaSecure Cloud SSO, the SaaS applications are not responsible for authentication of user identity. This scheme supports two scenarios:

1) The user logs in ParaSecure Cloud SSO firstly and then clicks the link of the SaaS application, so that single sign-on access application is automatically realized;

2) The user accesses the SaaS application first, is redirected to ParaSecure Cloud SSO, automatically returns to the SaaS application after authentication is completed, and automatically enters the application by single sign-on.

The product functions comprise centralized identity management, unified identity storage, unified authentication, security audit and an integrated interface, and single sign-on integration can be conveniently realized as long as the SaaS application supports protocols such as SAML, openID, OAuth and the like. The system supports high availability and cluster deployment, avoids single-point faults, has flexible transverse and longitudinal capacity expansion capacity, adapts to enterprise requirements of different scales, and can finish single-point login of application by simple configuration based on a B/S management interface.

2. Cloud AC authentication scheme

Currently, manufacturers such as Hua Chen, rui and koala all provide authentication schemes of cloud AC and Portal on the market. A user uses a thin AP+cloud AC structure, the AP equipment can be quickly brought into the management of the cloud AC, the AP can automatically discover the equipment to download configuration files, the cloud monitors the current state of the equipment in real time, and various remote management functions of software restarting, version upgrading and webpage management are achieved.

Through the configuration of the cloud AC control equipment end, the schemes of all manufacturers support functions such as equipment wireless configuration, equipment authentication configuration, access resource control, user management control, equipment management configuration, equipment log configuration, equipment system configuration and the like, and a configuration operation log recording function for recording relevant information of operation of each configuration item.

Meanwhile, most of cloud ACs of all manufacturers support the butt joint with third-party Web applications such as a cloud marketing platform, an advertising platform, a big data platform and the like through Portal expansion functions, so that advertisement pushing, accurate marketing service and the like are realized.

3. Cloud network

Besides the cloud resources connected through the Internet, cloud computing manufacturers such as AWS, azure, arian and the like also provide virtual networks and direct-connection special line products, and the users are helped to obtain better experience.

The private network in the cloud is preset with a logic isolation partition, and the local network can be easily expanded through VPN or direct connection private line, which provides an independent and safe environment for users to use cloud resources in the virtual network defined by the users. For example: the user can regard public cloud as own data center, define communication flow such as selecting own IP address range, creating sub-network, configuring route table and gateway direct connection cloud network, selecting to run load balancer, application program firewall, etc., thereby having higher control force when designing network; meanwhile, a user can easily extend the local IT environment to the cloud, and a hybrid cloud application program which is safely connected to the local data center can be constructed. If the platform as a service (PaaS) and the infrastructure as a service (IaaS) are integrated in one virtual network, greater flexibility and extensibility will be achieved in building the application. The related technical scheme is not complete enough in the aspects of equipment access, cloud application integration, internet-oriented, user experience and safety improvement. This is a problem addressed by the present apparatus and method.

Disclosure of Invention

In order to remedy the drawbacks of the login form, the present invention proposes a self-verifying cloud connection method,

the technical scheme is that the self-verification cloud connection method comprises the following steps of:

the client is connected to the Internet through an intelligent gateway, and a communication channel is established between the client and a third party server through the Internet;

the client sends an access request to a third party server;

the third party server sends out a verification request after receiving the access request;

after receiving the verification request, the intelligent gateway verifies with the third party server;

and the third-party server passes the verification, and the client access is successful.

Further, the intelligent gateway verification step includes:

the intelligent gateway detects whether to store the third party server verification information through the built-in RADIUS authentication server;

if the intelligent gateway detects the verification information of the third party server, the intelligent gateway sends the verification information to the third party server for verification;

if the intelligent gateway does not detect the verification information of the third-party server, sending a verification request to the client, after receiving the verification request, sending the verification information corresponding to the verification request of the third-party server to the intelligent gateway, after receiving the verification information of the client, sending the verification information to the third-party server, and simultaneously storing the third-party server and the verification information aiming at the third-party server.

The utility model provides a self-verification cloud connected system, includes cloud ware, third party's server and the customer end with cloud ware signal connection respectively, its characterized in that still includes intelligent gateway, intelligent gateway is connected with customer end and cloud ware respectively, and this intelligent gateway includes:

the Wifi connection module is used for connecting with the client and providing Wifi service for the client;

the communication module is electrically connected with the WIFI module and is used for verifying login information between the client and the intelligent gateway and realizing encrypted communication between the connector and the client;

the sending module is connected with the communication module and used for sending the client login request to a third party server;

the receiving module is used for receiving the verification request of the third-party server;

the storage module is used for storing the ID information of the third-party server accessed by the client;

the RADIUS authentication server is respectively connected with the communication module, the receiving module and the storage module and is used for checking the authentication information of the third-party server;

the feedback module is respectively connected with the RADIUS authentication server and the communication module and is used for sending the verification information to the corresponding third party server;

the recording module is respectively connected with the feedback module and the storage module, and is used for recording the verification information sent by the feedback module and the corresponding third-party server information, and sending the recording result to the storage module for storage.

The intelligent gateway also comprises a shell, a circuit board fixed in the shell and a data interface electrically connected with the circuit board, wherein the Wifi connection module, the communication module, the sending module, the receiving module, the storage module, the RADIUS authentication server, the feedback module and the recording module are respectively fixed on the circuit board.

The communication module, the sending module, the receiving module and the storage module are all single-chip microcomputer.

And an alarm indicator lamp is also arranged on the shell.

The shell comprises a bottom plate and a shell body connected with the bottom plate, guide rods are respectively arranged at four corners of the bottom plate, a fixing ring for the guide rails to enter and exit is arranged in the shell body, and the shell body and the bottom plate are fixed together in a corresponding wearing mode of the guide rods and the fixing rings.

The circuit board is fixed on the bottom plate, a through hole for a wire connected with the circuit board is formed in one side of the shell, a dustproof rubber sleeve is arranged on the through hole, and the wire penetrates through the dustproof rubber sleeve and is connected to the circuit board.

The invention solves the problems that: aiming at the defects and defects in the prior art, the invention aims to provide an integrated device which is convenient, quick and low-cost and is used for logging in a cloud resource by one key, cloud identity recognition and authentication service is added by utilizing the existing cloud AC and a cloud network, the user experience of cloud on a user is further improved, the front end and the rear end of the cloud resource are used efficiently under the condition of lower cost, the service access flow is improved through reasonable authentication distribution and combination, the control modes of the cloud network structure and the authentication service are optimized, the cloud network structure and the control modes of the authentication service are processed by the integrated device, the concurrent users are processed, the load balance is good, the stable operation of the cloud service and a wireless network is ensured, and the device which is automatically connected with the cloud computing resource is popularized and applied in a high-speed wireless network environment.

Specifically, the method comprises the following steps:

1. cloud application plug and play: the network is connected to complete automatic online, a user does not need to install a software package or apply an account, and the AP directly provides cloud service after being connected to the network;

2. authentication with convenient and quick access is a service: the access is directly performed through an AP (access point), generally only one-time registration and authentication of the mobile phone number are required to be completed simultaneously, user operation steps are reduced, the cloud resources bound by the whole network access are accessed, and the Internet surfing is realized;

3. arbitrary point access: the AP connected with the cloud end completes authentication under the condition that any network can reach the cloud end AC, and accesses services such as public cloud SaaS, paaS, iaaS;

4. on-line agile operation and maintenance: an administrator can manage the authorization and restriction of cloud services through a Web portal, change configuration, security policy settings and monitor applications.

And an alarm indicator lamp is also arranged on the shell.

Drawings

FIG. 1 is a schematic flow chart of an embodiment of the present invention;

fig. 2 is a schematic structural diagram of an embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

In the description of the present invention, it should be noted that the orientation or positional relationship indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of description of the present invention and to simplify the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted", "connected" and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.

In connection with fig. 1, one embodiment of the present invention. A method of self-verifying cloud connectivity, the method comprising the steps of:

the client sends an access request to a third party server;

In the above method, the intelligent gateway verification step includes:

And an alarm indicator lamp is also arranged on the shell.

The whole process of the invention uses the Chinese mobile Portal protocol standard 2.0, the RADIUS protocol, the OpenID Connect1.0/OAuth2.0 or the SAML protocol, the domain name of the third party server of the storage module of the intelligent gateway does not store authentication information, and the RADIUS authentication server built in the intelligent gateway stores the user ID and the authentication information of the third party server. Except when it doubles as an identity facilitator role itself, authentication information is stored.

The intelligent gateway comprises an AC wireless controller of a cloud and a plurality of APs, and supports the AC to be deployed on PaaS or IaaS in a software mode. The cloud AC facing the internet is a basic condition of cloud on one key.

The system comprises Portal website portals, authentication services, SSO single sign-on, security policies and identity agents, and is responsible for data interaction between Portal and cloud AC, data interaction between Portal and an authentication server, single sign-on, identity provider management, directory alliance mutual trust and other functions.

Assume a certain application scenario role: 1 service provider SP, 2 identity provider IDP, 3 subscribers. The specific flow is as follows:

a user a accesses a protected resource (service provider) such as www.CloudNative.com, accesses the network through the AP of the system; b, the user completes authentication through the Portal, and the Portal provides authentication service by using an identity provider in the authentication process; c, the identity authentication service provider generates assertion to prove the identity of the user and signs the user with the private key of the user, and returns information about whether the authentication is successful or not to the Portal; the D Portal server sends information to the access server BAS (usually hardware) after obtaining authentication success information; e, the access server interacts with the RADUS internet authentication server to complete internet authorization and release; after getting the internet authorization, portal sends authentication assertion and its private key to service provider, which verifies the signature of the assertion by public key of identity provider, then trusts the assertion, judges that user is legal, and allows client to access protected resource.

In this process, the access network may also be regarded as a protected resource, but the user gradually obtains the access rights of the protected resource according to the Portal arrangement. Public-private key systems have been employed to secure assertions against counterfeiting, tampering, and trustworthiness of identity providers, either by signing and encrypting the assertions, or in combination with digital certificate systems, which are governed by a security policy service. The whole process uses the standard 2.0 of China Mobile Portal protocol, the RADIUS protocol, the OpenID Connect1.0/OAuth2.0 or the SAML protocol. Wherein, the B-C procedure, i.e. the first time the user accesses the identity provider (e.g. WeChat), needs to be preconfigured at the BAS network access device, allowing temporary release of the website. In the C procedure, the OpenID Connect1.0/OAuth2.0 or SAML protocol may be used, depending on which identity provider is used. The D procedure uses the chinese mobile Portal protocol standard 2.0. The E procedure uses the RADIUS protocol. The F procedure uses the OpenID Connect1.0/OAuth2.0 or SAML protocol.

Specifically, the present invention relates to a method for manufacturing a semiconductor device. The identity proxy part requires us to write code itself to interact with the short message gateway (telecom operator as identity provider), web IDP (micro-letter, micro-blog or any other oid/OpenID Connect compatible IDP), and then invoke authentication services to obtain authentication token exchange system temporary security credentials from these IDPs.

Under certain conditions, the module handles interactions with IDPs using microsoft Azure AD, amazon Cognito of AWS, or IAM of the alicloud, etc., as these internet-oriented cloud authentication and directory services can act as identity agents and do many joint jobs without having to handle interactions with many IDPs themselves.

The invention generally comprises an AC wireless controller and a plurality of APs, and supports the AC to be deployed on PaaS or IaaS in a software mode. The cloud AC facing the internet is a basic condition of cloud on one key. The system comprises Portal website portals, authentication services, SSO single sign-on, security policies and identity agents, and is responsible for data interaction between Portal and cloud AC, data interaction between Portal and an authentication server, single sign-on, identity provider management, directory alliance mutual trust and other functions. The Portal is also responsible for navigation and recommendation of the application after the user logs in by one key. The module performs most of the core functions of the one-key cloud. The identity proxy part asks us to write code itself that interacts with the short message gateway, web IDP (micro-message, micro-blog or any other OIDC compatible IDP), and then invokes the authentication service to obtain the authentication token exchange system temporary security credentials from these IDPs. Under certain conditions, the module handles interactions with IDPs using microsoft Azure AD, amazon Cognito of AWS, or IAM of the alicloud, etc., as these internet-oriented cloud authentication and directory services can act as identity agents and do many joint jobs without having to handle interactions with many IDPs themselves.

The present invention uses APIs to complete the actual connection to SaaS, paaS, iaaS and cloud networks.

The invention can realize the data and log collection in the whole access, authentication and authorization and application access process, and complete the functions of security-oriented audit, attack identification, coping with policy management, data analysis and the like.

The application scenario is as follows:

scene one: park application, hybrid cloud: and periodically sampling portal new application, pushing a certain park to deploy a WiFi network to be connected to the Internet, wherein an AP accesses to the cloud AC of the system. The enterprise of the park can be used as a tenant to open the cloud service on the AP by one key. For example, an administrator establishes a staff account of the enterprise, an opened SaaS cloud service and other pre-configuration work on the SSO/directory server, the enterprise only needs to connect the AP to configure the AP as a network reachable cloud AC, and a user can log in successfully and Portal displays SaaS application website navigation, so that the user can avoid logging in for using the preset application for the second time. In many cases, the AC and the AP in the cloud access the public cloud through the direct connection private line to obtain better user experience, and the AP obtains the cloud virtual device, such as the virtual network, the IaaS virtual machine and the PaaS service, which are connected by the private line rapidly and stably.

Scene II: automatic attendance: sharing account locations

The staff logs in WiFi in the office area/factory area, the system authorizes the attendance application to access the AP position information of the user, and the attendance system automatically completes the attendance 'card punching' process under the condition that the staff does not perceive. When the staff leaves the WiFi network during work, the attendance system automatically completes 'punching cards' during work. Because staff office area position information is shared with the attendance system, the system can count the time length of each staff going to work, whether to work or not, and even in which office area. All the functions are realized under the condition that staff logs in the network by one key, so that the user experience is greatly improved.

The above technical solution only represents the preferred technical solution of the present invention, and some changes that may be made by those skilled in the art to some parts of the technical solution represent the principles of the present invention, and the technical solution falls within the scope of the present invention.

Claims

1. A self-verifying cloud connection method, which is applied to a self-verifying cloud connection system, comprising: the cloud server is respectively connected with a third party server, a client and an intelligent gateway in a signal mode, wherein the intelligent gateway comprises a cloud AC module, a Wifi connection module, a Portal authentication module and a RADIUS authentication server which are used for expanding and accessing third party applications, and the method comprises the following steps:

connecting into a preset application program by utilizing cloud AC expansion;

the client sends a first access request to a third party server; the first access request is used for acquiring network communication connection;

after receiving the verification request, the intelligent gateway inputs verification information through a Portal authentication module, and verifies with the third party server through a RADIUS authentication server; the verification information is used for logging in network communication and logging in a preset application program;

the third party server passes the verification, and the intelligent gateway records the verification information;

the client sends a second access request to the third party server again; the second access request is used for logging in a preset application program;

the intelligent gateway verifies and utilizes verification information to verify with a preset application program of the cloud AC;

the client does not input a login preset application program.

2. The utility model provides a self-verification cloud connected system, includes cloud ware, third party's server and the customer end with cloud ware signal connection respectively, third party's server is used for authentication verification information, its characterized in that includes intelligent gateway, intelligent gateway is connected with customer end and cloud ware respectively, and this intelligent gateway includes:

the cloud AC module is used for managing and authenticating the wireless Access Point (AP) and expanding access to third party applications;

a Portal authentication module;

3. The self-verifying cloud connection system of claim 2, wherein the intelligent gateway further comprises a housing, a circuit board fixed in the housing and a data interface electrically connected with the circuit board, and the Wifi connection module, the communication module, the sending module, the receiving module, the storage module, the RADIUS authentication server, the feedback module, and the recording module are respectively fixed on the circuit board.

4. The self-verifying cloud connection system of claim 3, wherein the communication module, the sending module, the receiving module, and the storage module are all single-chip computers.

5. The self-verifying cloud connection system of claim 4, wherein an alarm indicator light is further provided on the housing.

6. The self-verification cloud connection system according to claim 3, wherein the shell comprises a bottom plate and a shell connected with the bottom plate, guide rods are respectively arranged at four corners of the bottom plate, a fixing ring for the guide rails to go in and out is arranged in the shell, and the shell and the bottom plate are fixed together in a corresponding penetrating manner through the guide rods and the fixing ring.

7. The self-verifying cloud connection system of claim 6, wherein the circuit board is fixed on the base plate, a through hole is formed in one side of the shell for a wire connected with the circuit board, a dustproof rubber sleeve is arranged on the through hole, and the wire passes through the dustproof rubber sleeve and is connected to the circuit board.