CN114143045A - Method for realizing enterprise local area network unified authentication based on VPN environment - Google Patents

Method for realizing enterprise local area network unified authentication based on VPN environment Download PDF

Info

Publication number
CN114143045A
CN114143045A CN202111350053.2A CN202111350053A CN114143045A CN 114143045 A CN114143045 A CN 114143045A CN 202111350053 A CN202111350053 A CN 202111350053A CN 114143045 A CN114143045 A CN 114143045A
Authority
CN
China
Prior art keywords
vpn
authentication
user
software
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111350053.2A
Other languages
Chinese (zh)
Inventor
王洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiuquan Iron and Steel Group Co Ltd
Original Assignee
Jiuquan Iron and Steel Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiuquan Iron and Steel Group Co Ltd filed Critical Jiuquan Iron and Steel Group Co Ltd
Priority to CN202111350053.2A priority Critical patent/CN114143045A/en
Publication of CN114143045A publication Critical patent/CN114143045A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to the technical field of network communication, in particular to a method for realizing uniform authentication of an enterprise local area network based on a VPN environment, which comprises a plurality of VPN users and an RADIUS authentication server; the source address is the IP address next hop of the VPN user and points to the newly added authentication switch; all the flow of the authentication switch is guided to an existing SDN unified authentication server; the flow of all VPN users firstly goes to an RADIUS authentication server for authentication, and the VPN users are not allowed to access before authentication; if the RADIUS authentication server verifies that the terminal of the VPN user does not conform to the authentication regulations, the VPN user is prohibited from accessing the resources of the enterprise intranet, otherwise, the VPN user is allowed to access the resources of the enterprise intranet.

Description

Method for realizing enterprise local area network unified authentication based on VPN environment
Technical Field
The invention relates to the technical field of network communication, in particular to a method for realizing uniform authentication of an enterprise local area network based on a VPN environment.
Background
The VPN network is characterized in that based on a virtual tunnel established by the Internet, a VPN network user can simultaneously access intranet resources and Internet resources, and no safety protection is provided when accessing the intranet resources. Therefore, enterprise informatization management personnel lack management means for terminals in the VPN network, and meanwhile, the safety of the enterprise intranet cannot be guaranteed.
The VPN technology is widely applied to enterprise networks at present, and a backbone network of a general large and medium-sized enterprise is composed of a wired network, a wireless network, a GPON network, a VPN network and the like. However, because the VPN network is characterized in that based on a virtual tunnel established by the internet, VPN network users can access intranet resources and internet resources at the same time, and the number of users, user operation behaviors, and whether users install security software cannot be known in many VPN networks, the users in the VPN network cannot be managed by the enterprise, and the network security of the VPN terminal cannot be guaranteed. According to the barrel effect, the VPN network becomes the weakest link of an enterprise, so that a method for ensuring the security of the VPN terminal by using the existing network security means of the enterprise is urgently needed.
Disclosure of Invention
The invention aims to provide a method for realizing the unified authentication of an enterprise local area network based on a VPN environment, which utilizes the principle of network routing to guide all the flow of accessing an enterprise intranet by a terminal under the VPN network to an RADIUS authentication server of an enterprise wired network, and the RADIUS authentication server manages VPN users to ensure the safety of the enterprise intranet.
In order to solve the technical problem, the invention discloses a method for realizing the unified authentication of an enterprise local area network based on a VPN environment, which comprises a plurality of VPN users and an RADIUS authentication server, and comprises the following steps:
s1, the RADIUS authentication server issues usernames and passwords for all VPN users, the RADIUS authentication server asks the terminals of all VPN users to install authentication software,
s2, adding an authentication switch at the lower level of the existing Internet boundary switch of the enterprise, and pointing the IP address of the VPN user with the source address as the next hop to the added authentication switch;
s3, all the flow of the authentication switch is guided to an existing SDN unified authentication server; the flow of all VPN users firstly goes to an RADIUS authentication server for authentication, and the VPN users are not allowed to access before authentication;
s4, the RADIUS authentication server performs security access authentication on the VPN user accessing the intranet resources, verifies whether the terminal of the VPN user is provided with the authentication software required in the step S1 or not, and detects whether the terminal of the VPN user is provided with the security software or the terminal of the VPN user is provided with the violation software or not;
s4.1, if the RADIUS authentication server verifies that the terminal of the VPN user is not provided with the authentication software or the authentication software detects that the terminal of the VPN user is not provided with the security software or the authentication software detects that the VPN user terminal is provided with the illegal software, the VPN user is prohibited from accessing the intranet resources, and the VPN user is not limited to access other internet resources
And S4.2, if the RADIUS authentication server verifies that the terminal of the VPN user is provided with the authentication software and the authentication software detects that the VPN user terminal is provided with the safety software and the authentication software detects that the VPN user terminal is not provided with the illegal software, allowing the VPN user to access the intranet resources.
Further, in step 1, the RADIUS authentication server binds the terminal user name, the computer name, the MAC address and the IP address of the VPN user.
Further, in step S4, the RADIUS authentication server binds the terminal user name, the computer name, the MAC address, and the IP address of the VPN user.
The invention has the beneficial effects that: the system comprises a plurality of VPN users and an RADIUS authentication server, wherein the RADIUS authentication server sends user names and passwords to all the VPN users; the source address is the IP address next hop of the VPN user and points to the newly added authentication switch; all the flow of the authentication switch is guided to an existing SDN unified authentication server; the flow of all VPN users firstly goes to an RADIUS authentication server for authentication, and the VPN users are not allowed to access before authentication; if the RADIUS authentication server verifies that the terminal of the VPN user is not provided with authentication software or the authentication software detects that the terminal of the VPN user is not provided with safety software or the authentication software detects that the VPN user terminal is provided with illegal software, the VPN user is prohibited from accessing intranet resources, and the VPN user is not limited to access other internet resources; if the RADIUS authentication server verifies that the terminal of the VPN user is provided with authentication software, the authentication software detects that the VPN user terminal is provided with safety software and the authentication software detects that the VPN user terminal is not provided with illegal software, the VPN user is allowed to access intranet resources; the invention utilizes the principle of network routing, whether software or illegal software is installed on a policy VPN user terminal set by an authentication server of an RADIUS (remote authentication server) through authentication software, ensures that a VPN user cannot access an intranet before the authentication is failed or the authentication is failed, but does not limit the VPN user to access other internet resources, is flexible and convenient to use and high in cost and efficiency, greatly improves the security of the intranet in the enterprise, and is convenient for the enterprise to supervise the VPN user.
Drawings
FIG. 1 illustrates a prior art manner of accessing an intranet by a VPN network terminal according to the present invention;
fig. 2 shows a mode of accessing an intranet after the VPN network terminal is uniformly authenticated according to the present invention.
Detailed Description
As shown in fig. 1-2, a method for implementing unified authentication of enterprise lan based on VPN environment of the present invention includes a plurality of VPN users and RADIUS authentication server, including the following steps:
s1, the RADIUS authentication server issues usernames and passwords for all VPN users, the RADIUS authentication server asks the terminals of all VPN users to install authentication software,
s2, adding an authentication switch at the lower level of the existing Internet boundary switch of the wine enterprise, and pointing the IP address of the VPN user with the source address as the next hop to the added authentication switch;
s3, all the flow of the authentication switch is guided to an existing SDN unified authentication server; the flow of all VPN users firstly goes to an RADIUS authentication server for authentication, and the VPN users are not allowed to access before authentication;
s4, the RADIUS authentication server performs security access authentication on the VPN user accessing the intranet resources, verifies whether the terminal of the VPN user is provided with the authentication software required in the step S1 or not, and detects whether the terminal of the VPN user is provided with the security software or the terminal of the VPN user is provided with the violation software or not;
s4.1, if the RADIUS authentication server verifies that the terminal of the VPN user is not provided with authentication software or the authentication software detects that the terminal of the VPN user is not provided with security software or the authentication software detects that the VPN user terminal is provided with violation software, the VPN user is prohibited from accessing intranet resources, and the VPN user is not limited to access other internet resources;
and S4.2, if the RADIUS authentication server verifies that the terminal of the VPN user is provided with the authentication software and the authentication software detects that the VPN user terminal is provided with the safety software and the authentication software detects that the VPN user terminal is not provided with the illegal software, allowing the VPN user to access the intranet resources.
Further, in step 1, the RADIUS authentication server binds the terminal user name, the computer name, the MAC address and the IP address of the VPN user.
Further, in step S4, the RADIUS authentication server binds the terminal user name, the computer name, the MAC address, and the IP address of the VPN user.
The first embodiment is as follows:
for example, an AD campas platform of H3C company is used by a certain enterprise to perform user unified authentication, the user authentication policy is to allocate a unified INode account and password to all end users, and the AD campas binds the INode account and the password to three elements, namely, the MAC address, the computer name, and the IP address of the user computer. Through the idea of the patent, a unified user name and a password are created for the enterprise VPN user on an AD Campus platform, and the MAC address, the computer name and the IP address of the computer of the VPN user are bound at the background. The enterprise adds a VPN authentication switch H3C-S5130 at the next stage of the Internet boundary switch H3C-S10510X, the IP address of the switch is 10.98.10.5, and an access control list 3802 is configured at the Internet boundary switch:
acl number 3802
rule 5 permit ip source 192.168.0.0 0.0.255.255
a policy route 110 is also configured:
policy-based-route VPN-yinliu permit node 110
if-match acl 3802
apply next-hop 10.98.10.5
all VPN user flow is introduced into the VPN authentication switch through the operation, at the moment, the AD Campus platform can firstly authenticate VPN users, and the background can access the enterprise intranet resources after matching the INode account number, the password, the MAC address, the computer name and the IP address.

Claims (3)

1. A method for realizing enterprise LAN unified authentication based on VPN environment is characterized in that: the method comprises a plurality of VPN users and a RADIUS authentication server, and comprises the following steps:
s1, the RADIUS authentication server issues usernames and passwords for all VPN users, the RADIUS authentication server asks the terminals of all VPN users to install authentication software,
s2, adding an authentication switch at the lower level of the existing Internet boundary switch of the enterprise, and pointing the IP address of the VPN user with the source address as the next hop to the added authentication switch;
s3, all the flow of the authentication switch is guided to an existing SDN unified authentication server; the flow of all VPN users firstly goes to an RADIUS authentication server for authentication, and the VPN users are not allowed to access before authentication;
s4, the RADIUS authentication server performs security access authentication on the VPN user accessing the intranet resources, verifies whether the terminal of the VPN user is provided with the authentication software required in the step S1 or not, and detects whether the terminal of the VPN user is provided with the security software or the terminal of the VPN user is provided with the violation software or not;
s4.1, if the RADIUS authentication server verifies that the terminal of the VPN user is not provided with authentication software or the authentication software detects that the terminal of the VPN user is not provided with security software or the authentication software detects that the VPN user terminal is provided with violation software, the VPN user is prohibited from accessing intranet resources, and the VPN user is not limited to access other internet resources;
and S4.2, if the RADIUS authentication server verifies that the terminal of the VPN user is provided with the authentication software and the authentication software detects that the VPN user terminal is provided with the safety software and the authentication software detects that the VPN user terminal is not provided with the illegal software, allowing the VPN user to access the intranet resources.
2. The method according to claim 1, wherein the method for implementing unified authentication of the enterprise local area network based on the VPN environment comprises: in the step 1, the RADIUS authentication server binds the terminal user name, the computer name, the MAC address and the IP address of the VPN user.
3. The method according to claim 2, wherein the method for implementing unified authentication of the enterprise local area network based on the VPN environment comprises: in step S4, the RADIUS authentication server binds the terminal user name, the computer name, the MAC address, and the IP address of the VPN user.
CN202111350053.2A 2021-11-15 2021-11-15 Method for realizing enterprise local area network unified authentication based on VPN environment Pending CN114143045A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111350053.2A CN114143045A (en) 2021-11-15 2021-11-15 Method for realizing enterprise local area network unified authentication based on VPN environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111350053.2A CN114143045A (en) 2021-11-15 2021-11-15 Method for realizing enterprise local area network unified authentication based on VPN environment

Publications (1)

Publication Number Publication Date
CN114143045A true CN114143045A (en) 2022-03-04

Family

ID=80393189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111350053.2A Pending CN114143045A (en) 2021-11-15 2021-11-15 Method for realizing enterprise local area network unified authentication based on VPN environment

Country Status (1)

Country Link
CN (1) CN114143045A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115589337A (en) * 2022-11-29 2023-01-10 电子科大科园股份有限公司 Network connection method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN102271132A (en) * 2011-07-26 2011-12-07 北京星网锐捷网络技术有限公司 Control method and system for network access authority and client
CN109905407A (en) * 2019-04-03 2019-06-18 北京奇安信科技有限公司 Management method, system, equipment and medium based on vpn server access Intranet

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN102271132A (en) * 2011-07-26 2011-12-07 北京星网锐捷网络技术有限公司 Control method and system for network access authority and client
CN109905407A (en) * 2019-04-03 2019-06-18 北京奇安信科技有限公司 Management method, system, equipment and medium based on vpn server access Intranet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
宁盾NINGTON: "宁盾科技+鹏力科技"|顺利通过多重测试,严密保障入网终端安全", 《URL:HTTPS://WWW.SOHU.COM/A/434156185_100200904》, pages 1 - 2 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115589337A (en) * 2022-11-29 2023-01-10 电子科大科园股份有限公司 Network connection method and system
CN115589337B (en) * 2022-11-29 2023-02-24 电子科大科园股份有限公司 Network connection method and system

Similar Documents

Publication Publication Date Title
WO2017101729A1 (en) Internet of things-based device operation method and server
CN100563158C (en) Access control method and system
CN101414907B (en) Method and system for accessing network based on user identification authorization
US20050138417A1 (en) Trusted network access control system and method
CN109995792B (en) Safety management system of storage equipment
US20070249324A1 (en) Dynamic authentication in secured wireless networks
CN106027463B (en) A kind of method of data transmission
US20220232378A1 (en) System and method for providing a secure vlan within a wireless network
CN104185181A (en) WiFi user access control method based on iptables
CN101267339A (en) User management method and device
US11985113B2 (en) Computing system operational methods and apparatus
CN106027466B (en) A kind of identity card cloud Verification System and card-reading system
US11683312B2 (en) Client device authentication to a secure network
TWI668987B (en) System of host protection based on moving target defense and method thereof
US8751647B1 (en) Method and apparatus for network login authorization
Saleem et al. Certification procedures for data and communications security of distributed energy resources
CN109639658B (en) Data transmission method and device for firewall of operation and maintenance of power secondary system
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN114143045A (en) Method for realizing enterprise local area network unified authentication based on VPN environment
CN103957194B (en) A kind of procotol IP cut-in methods and access device
CN102752752B (en) base station maintenance method and apparatus
CN111614476A (en) Equipment configuration method, system and device
CN100592688C (en) System and method for safety identification to network customer terminal
CN101621503A (en) Identity identification system and method being applied under virtual private network framework
CN102316119B (en) Security control method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination