CN115603968A

CN115603968A - Access control method, device, equipment and medium

Info

Publication number: CN115603968A
Application number: CN202211202758.4A
Authority: CN
Inventors: 刘铮; 李友; 陈翔
Original assignee: Suzhou Inspur Intelligent Technology Co Ltd
Current assignee: Suzhou Inspur Intelligent Technology Co Ltd
Priority date: 2022-09-29
Filing date: 2022-09-29
Publication date: 2023-01-13
Also published as: WO2024066248A1

Abstract

The application relates to the technical field of computer network communication, and discloses a method, a device, equipment and a medium for controlling access, which are used for acquiring a plurality of data to be processed transmitted by external equipment; the external devices include a client and a server. And determining the priority of each data to be processed according to the protocol type and the message type of each data to be processed. And sequentially processing the data to be processed according to the priority sequence of the data to be processed so as to finish the access authentication of the server to the client. Each piece of data to be processed has the protocol type and the message type to which the data to be processed belongs, the proximity degree of the data to be processed and the authentication is determined based on the protocol type and the message type to which the data to be processed belongs, and the higher the proximity degree is, the higher the priority can be set, so that the client side authenticated first can complete the authentication as soon as possible, the number of the client sides authenticated at the same time is reduced, the authentication efficiency of the access equipment is improved, and the processing capacity of the access equipment on the authentication message is exerted to the maximum extent.

Description

Access control method, device, equipment and medium

Technical Field

The present application relates to the field of computer network communication technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for controlling access.

Background

The 802.1x protocol is a network access control protocol based on ports, is widely applied to the Ethernet and mainly solves the problems of authentication and security in the Ethernet. Systems using 802.1x are typical Client/Server (C/S) architectures, which mainly contain three entities: the system comprises a client, access equipment and an authentication server. The client is an entity located at one end of the lan segment, and is generally a user terminal device, and the user initiates 802.1x authentication by starting client software. Client software must support the Extensible Authentication Protocol over LAN (EAPoL) Protocol over local area networks. An access device is an entity on one end of a lan segment, typically a network device supporting the 802.1x protocol, that provides a port for clients to access the lan. An authentication server is an entity that provides authentication services for access devices. The Authentication server is used for implementing Authentication, authorization and accounting of a User, and is generally a Remote Authentication Dial In User Service (RADIUS) server. The RADIUS server may store relevant information of the user, such as an account number and a password of the user, and a Virtual Local Area Network (VLAN) to which the user belongs, a priority, an access control list of the user, and the like.

The client adopts the standard 802.1x protocol to access the authentication process. The client, the access device and the authentication server finish authentication through a series of information interaction, and if the client passes the authentication, the access device allows the client to access resources in a network; if the client is not authenticated, the access device may prohibit access to resources in the network. In the authentication process, if packet loss occurs between the client and the access device or between the access device and the authentication server, a retransmission mechanism needs to be started. Under some scenarios, such as power failure and restart of the access device, or simultaneous online of a large number of clients, simultaneous authentication of the large number of clients is triggered, and random packet loss and a large number of retransmissions are caused under the condition that the Processing capability of a Central Processing Unit (CPU) of the access device is limited, thereby greatly delaying the online time of the clients.

In the conventional technology, there is a certain limit requirement for the number of clients supported by the access device, and when the number exceeds a certain number, the access device is required to be added or replaced by an access device with better performance. The conventional technology generally provides a solution from the aspect of hardware, but the traditional technology is not economical from the perspective of users, and the existing network topology needs to be changed when the access device is added or replaced, which brings inconvenience to the operation and maintenance of the network.

It can be seen that how to maximize the processing capability of the access device for the authentication message is a problem to be solved by those skilled in the art.

Disclosure of Invention

Embodiments of the present application provide a method, an apparatus, a device, and a computer-readable storage medium for controlling access, which can furthest exert the processing capability of an access device for an authentication packet.

In order to solve the foregoing technical problem, an embodiment of the present application provides an access control method, including:

acquiring a plurality of data to be processed transmitted by external equipment; wherein the external device comprises a client and a server;

determining the priority of each piece of data to be processed according to the protocol type and the message type of each piece of data to be processed; the priority is set based on the protocol type, the message type and the proximity degree of completing authentication;

and sequentially processing the data to be processed according to the priority order of the data to be processed so as to finish the access authentication of the server to the client.

Optionally, the determining, according to the protocol type and the packet type to which each piece of to-be-processed data belongs, the priority of each piece of to-be-processed data includes:

sending the data to be processed to a corresponding CPU queue according to the protocol type of the data to be processed;

analyzing the data to be processed recorded in each CPU queue in sequence according to the priority sequence of each CPU queue so as to determine the message type of each data to be processed in each CPU queue;

sending the data to be processed to a protocol distribution queue matched with the message type of the data to be processed; and setting different priorities for each protocol distribution queue according to the proximity degree of each message type and the completed authentication.

Optionally, the sending the data to be processed to the corresponding CPU queue according to the protocol type to which the data to be processed belongs includes:

judging whether the data to be processed belongs to an authentication service protocol message or not;

under the condition that the data to be processed belongs to an authentication service protocol message, sending the data to be processed to a first CPU queue;

under the condition that the data to be processed does not belong to the authentication service protocol message, judging whether the data to be processed belongs to the identity verification protocol message or not;

under the condition that the data to be processed belongs to the identity authentication protocol message, sending the data to be processed to a second CPU queue; wherein the priority of the first CPU queue is higher than the priority of the second CPU queue.

Optionally, after the determining whether the data to be processed belongs to an authentication service protocol packet, the method further includes:

and under the condition that the data to be processed does not belong to the authentication service protocol message and the identity verification protocol message, discarding the data to be processed.

Optionally, the analyzing the to-be-processed data recorded in each CPU queue in sequence according to the priority order of each CPU queue to determine the packet type to which each of the to-be-processed data in each CPU queue belongs includes:

judging whether an authentication service protocol message is recorded in the first CPU queue;

under the condition that an authentication service protocol message is recorded in the first CPU queue, analyzing a code field of the authentication service protocol message to determine a first message type of the authentication service protocol message; wherein the first message type comprises an access inquiry and an access acceptance;

judging whether an authentication protocol message is recorded in the second CPU queue;

under the condition that an authentication protocol message is recorded in the second CPU queue, analyzing a code field and a type field of the authentication protocol message to determine a second message type to which the authentication protocol message belongs; and the second message type comprises an MD5 inquiry password response, a user name information response and an authentication request.

Optionally, the protocol distribution queues matched with the message types include a first protocol distribution queue matched with an authentication request, a second protocol distribution queue matched with a user name information response, a third protocol distribution queue matched with an access acceptance, a fourth protocol distribution queue matched with an MD5 challenge password response, and a fifth protocol distribution queue matched with an access challenge; wherein the priorities of the first protocol distribution queue, the second protocol distribution queue, the third protocol distribution queue, the fourth protocol distribution queue and the fifth protocol distribution queue are sequentially increased.

Optionally, the sending the data to be processed to the protocol distribution queue whose packet type is matched includes:

sending an authentication request message with the message type as an authentication request to a first protocol distribution queue;

sending a user name information response message with the message type of user name information response to a second protocol distribution queue;

sending the access inquiry message with the message type of the access inquiry to a third protocol distribution queue;

sending the MD5 challenge password response message with the message type of MD5 challenge password response to a fourth protocol distribution queue;

and sending the access acceptance message with the message type of the access acceptance to a fifth protocol distribution queue.

Optionally, the sequentially processing each piece of the to-be-processed data according to the priority order of each piece of the to-be-processed data to complete the access authentication of the server to the client includes:

judging whether an access acceptance message is received or not;

under the condition of receiving the access acceptance message, sending a response message passing the access authentication to the corresponding target client;

under the condition that the access acceptance message is not received, judging whether an MD5 inquiry password response message is received or not;

under the condition that an MD5 inquiry password response message is received, packaging the MD5 inquiry password response message into an access request, and sending the access request to the server; under the condition that the MD5 inquiry password response message is not received, judging whether an access inquiry message is received or not;

under the condition of receiving the access inquiry message, sending an MD5 inquiry password request to a corresponding client;

under the condition that the access inquiry message is not received, judging whether a user name information response message is received or not;

under the condition of receiving a user name information response message, packaging the user name information response message into an initial access request, and sending the initial access request to the server;

under the condition that the user name information response message is not received, judging whether an authentication request message is received or not;

and sending a user name information request to the corresponding client under the condition of receiving the authentication request message.

Optionally, before the acquiring the plurality of to-be-processed data transmitted by the external device, the method further includes:

a first access control list, a second access control list and a third access control list are configured in advance; the third access control list is used for matching an authentication service protocol message, the second access control list is used for matching an identity verification protocol message, and the first access control list is used for matching traffic data except the authentication service protocol message and the identity verification protocol message.

Optionally, after sending the response message that the access authentication passes to the corresponding target client, the method further includes:

and recording the identification information of the target client through a fourth access control list.

under the condition that the data to be processed does not belong to the authentication service protocol message and the identity verification protocol message, judging whether client identification information corresponding to the data to be processed is matched with identification information recorded by the fourth access control list or not;

under the condition that the client identification information corresponding to the data to be processed is matched with the identification information recorded by the fourth access control list, releasing the data to be processed;

and under the condition that the client identification information corresponding to the data to be processed is not matched with the identification information recorded in the fourth access control list, discarding the data to be processed.

Optionally, in a case that the client identification information corresponding to the to-be-processed data matches the identification information recorded in the fourth access control list, the method further includes, after releasing the to-be-processed data:

and recording the to-be-processed data and identification information and release time of a client transmitting the to-be-processed data.

Optionally, before sending the data to be processed to the first CPU queue, the method further includes:

under the condition that the data to be processed belongs to an authentication service protocol message, judging whether the residual storage space of the first CPU queue meets the storage requirement of the data to be processed;

under the condition that the remaining storage space of the first CPU queue meets the storage requirement of the data to be processed, the step of sending the data to be processed to the first CPU queue is executed;

and under the condition that the remaining storage space of the first CPU queue does not meet the storage requirement of the data to be processed, distributing a new first CPU queue with the same priority as the first CPU queue for the data to be processed, and sending the data to be processed to the new first CPU queue.

Optionally, after the allocating a new first CPU queue with a priority equal to that of the first CPU queue to the data to be processed, the method further includes:

and feeding back first prompt information for suspending new data transmission to the target client terminal transmitting the data to be processed.

Optionally, before the sending the data to be processed to the second CPU queue, the method further includes:

under the condition that the data to be processed belongs to the identity authentication protocol message, judging whether the residual storage space of the second CPU queue meets the storage requirement of the data to be processed;

under the condition that the residual storage space of the second CPU queue meets the storage requirement of the data to be processed, the step of sending the data to be processed to the second CPU queue is executed;

and under the condition that the remaining storage space of the second CPU queue does not meet the storage requirement of the data to be processed, distributing a new second CPU queue with the same priority as the second CPU queue for the data to be processed, and sending the data to be processed to the new second CPU queue.

Optionally, after allocating a new second CPU queue with a priority equal to that of the second CPU queue to the data to be processed, the method further includes:

and feeding back second prompt information for slowing down the transmission of new data to the target client terminal transmitting the data to be processed.

judging whether first data with the determined priority exists or not;

under the condition that first data with the determined priority exist, sequentially processing the first data according to the priority sequence of the first data so as to finish the access authentication of the server to a client corresponding to the first data;

under the condition that first data with the determined priority does not exist, judging whether second data transmitted by external equipment is acquired or not;

and under the condition of acquiring second data transmitted by the external equipment, determining the priority of the second data according to the protocol type and the message type of the second data.

The embodiment of the application also provides a control device for access, which comprises an acquisition unit, a determination unit and an authentication unit;

the acquisition unit is used for acquiring a plurality of data to be processed transmitted by external equipment; wherein the external device comprises a client and a server;

the determining unit is configured to determine a priority of each piece of data to be processed according to a protocol type and a message type to which each piece of data to be processed belongs; the priority is set based on the protocol type, the message type and the proximity degree of completing authentication;

and the authentication unit is used for sequentially processing the data to be processed according to the priority order of the data to be processed so as to finish the access authentication of the server to the client.

Optionally, the determining unit includes a first sending subunit, an analyzing subunit, and a second sending subunit;

the first sending subunit is configured to send the data to be processed to a corresponding CPU queue according to a protocol type to which the data to be processed belongs;

the analysis subunit is configured to analyze, in sequence, the to-be-processed data recorded in each CPU queue according to the priority order of each CPU queue, so as to determine a packet type to which each of the to-be-processed data in each CPU queue belongs;

the second sending subunit is configured to send the data to be processed to the protocol distribution queue whose packet type is matched; and each protocol distribution queue is provided with different priorities according to the proximity degree of each message type and the completed authentication.

Optionally, the first sending subunit is configured to determine whether the data to be processed belongs to an authentication service protocol packet;

under the condition that the data to be processed belong to an authentication service protocol message, sending the data to be processed to a first CPU queue;

Optionally, a discarding unit is further included;

the discarding unit is configured to discard the data to be processed when the data to be processed does not belong to the authentication service protocol packet and the authentication protocol packet.

Optionally, the parsing subunit is configured to determine whether an authentication service protocol packet is recorded in the first CPU queue;

Optionally, the protocol distribution queue matched with the message type includes a first protocol distribution queue matched with the authentication request, a second protocol distribution queue matched with the user name information response, a third protocol distribution queue matched with the access acceptance, a fourth protocol distribution queue matched with the MD5 challenge password response, and a fifth protocol distribution queue matched with the access challenge; wherein the priorities of the first protocol distribution queue, the second protocol distribution queue, the third protocol distribution queue, the fourth protocol distribution queue and the fifth protocol distribution queue are sequentially increased.

Optionally, the second sending subunit is configured to send an authentication request packet whose packet type is an authentication request to the first protocol distribution queue;

and sending the access acceptance message with the message type of access acceptance to a fifth protocol distribution queue.

Optionally, the authentication unit includes a first determining subunit, a first transmitting subunit, a second determining subunit, a second transmitting subunit, a third determining subunit, a third transmitting subunit, a fourth determining subunit, a fourth transmitting subunit, a fifth determining subunit, and a fifth transmitting subunit;

the first judging subunit is configured to judge whether an access acceptance message is received;

the first sending subunit is configured to send, to the corresponding target client, a response packet that the access authentication passes, when receiving the access acceptance packet;

the second judging subunit is configured to judge whether an MD5 challenge password response message is received or not when the access acceptance message is not received;

the second sending subunit is configured to, in a case that the MD5 challenge/password response message is received, encapsulate the MD5 challenge/password response message into an access request, and send the access request to the server;

the third judging subunit is configured to judge whether an access inquiry message is received or not when the MD5 inquiry password response message is not received;

the third sending subunit is configured to send an MD5 challenge password request to the corresponding client when receiving the access challenge packet;

the fourth judging subunit is configured to, in a case where the access acceptance packet is not received, judge whether a user name information response packet is received;

the fourth sending subunit is configured to, in a case where a user name information response packet is received, encapsulate the user name information response packet into an initial access request, and send the initial access request to the server;

the fifth judging subunit is configured to judge whether an authentication request message is received or not when the user name information response message is not received;

and the fifth sending subunit is configured to send a user name information request to the corresponding client when receiving the authentication request packet.

Optionally, a configuration unit is further included;

the configuration unit is used for configuring a first access control list, a second access control list and a third access control list in advance; the third access control list is used for matching an authentication service protocol message, the second access control list is used for matching an identity verification protocol message, and the first access control list is used for matching traffic data except the authentication service protocol message and the identity verification protocol message.

Optionally, a recording unit is further included;

and the recording unit is used for recording the identification information of the target client through a fourth access control list after the response message of passing the access authentication is sent to the corresponding target client.

Optionally, the system further comprises an identification judgment unit, a release unit and a discarding unit;

the identification judgment unit is configured to judge whether client identification information corresponding to the to-be-processed data matches identification information recorded in the fourth access control list, when the to-be-processed data does not belong to the authentication service protocol packet and the authentication protocol packet;

the releasing unit is configured to release the data to be processed when the client identification information corresponding to the data to be processed matches the identification information recorded in the fourth access control list;

the discarding unit is configured to discard the data to be processed when the client identification information corresponding to the data to be processed does not match the identification information recorded in the fourth access control list.

Optionally, a data recording unit is further included;

and the data recording unit is used for recording the identification information of the data to be processed and the client side transmitting the data to be processed and the release time after releasing the data to be processed under the condition that the identification information of the client side corresponding to the data to be processed is matched with the identification information recorded by the fourth access control list.

Optionally, the system further comprises a first space judgment unit, a first allocation unit and a first sending unit;

the first space judgment unit is configured to judge whether the remaining storage space of the first CPU queue meets the storage requirement of the to-be-processed data when the to-be-processed data belongs to an authentication service protocol packet; under the condition that the remaining storage space of the first CPU queue meets the storage requirement of the data to be processed, triggering the first sending subunit to execute the step of sending the data to be processed to the first CPU queue;

the first allocation unit is configured to allocate, to the data to be processed, a new first CPU queue having a priority equal to that of the first CPU queue when the remaining storage space of the first CPU queue does not meet the storage requirement of the data to be processed;

and the first sending unit is used for sending the data to be processed to the new first CPU queue.

Optionally, the system further comprises a first prompting unit;

and the first prompt unit is used for feeding back first prompt information for suspending new data transmission to a target client terminal for transmitting the data to be processed.

Optionally, the system further comprises a second space judgment unit, a second allocation unit and a second sending unit;

the second space judgment unit is configured to judge whether the remaining storage space of the second CPU queue meets the storage requirement of the to-be-processed data when the to-be-processed data belongs to an authentication protocol packet; under the condition that the remaining storage space of the second CPU queue meets the storage requirement of the data to be processed, triggering the first sending subunit to execute the step of sending the data to be processed to the second CPU queue;

the second allocating unit is configured to allocate, to the data to be processed, a new second CPU queue having a priority equal to that of the second CPU queue when the remaining storage space of the second CPU queue does not meet the storage requirement of the data to be processed;

and the second sending unit is used for sending the data to be processed to the new second CPU queue.

Optionally, a second prompting unit is further included;

and the second prompting unit is used for feeding back second prompting information for slowing down new data transmission to the target client side transmitting the data to be processed.

Optionally, the system further comprises a first data judgment unit and a second data judgment unit;

the first data judging unit is used for judging whether first data with determined priority exists or not;

the authentication unit is further configured to, in the presence of first data of which the priority is determined, sequentially process the first data according to the priority order of the first data, so as to complete access authentication of the server to a client corresponding to the first data;

the second data judging unit is used for judging whether second data transmitted by the external equipment is acquired or not under the condition that the first data with the determined priority does not exist;

the determining unit is further configured to determine, when second data transmitted by an external device is acquired, a priority of the second data according to a protocol type and a packet type to which the second data belongs.

An embodiment of the present application further provides an electronic device, including:

a memory for storing a computer program;

a processor for executing said computer program for implementing the steps of the method for controlling access as described above.

An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps of the method for controlling access as described above are implemented.

According to the technical scheme, a plurality of pieces of data to be processed transmitted by the external equipment are obtained; the external device comprises a client and a server. Determining the priority of each data to be processed according to the protocol type and the message type of each data to be processed; the priority is set based on the protocol type, the message type and the proximity degree of completing authentication. And sequentially processing the data to be processed according to the priority sequence of the data to be processed so as to finish the access authentication of the server to the client. In the technical scheme, based on the protocol type and the message type of the data to be processed, the proximity degree between the data to be processed and the authentication can be determined, and the higher the proximity degree is, the higher the priority can be set, so that the client authenticated first can complete the authentication as soon as possible, the number of clients authenticated at the same time is reduced, the continuity and timeliness of the authentication process of the client are ensured, the authentication efficiency of the access equipment is improved, and the processing capacity of the access equipment on the authentication message is exerted to the maximum extent.

Drawings

In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.

Fig. 1 is a flowchart of a method for controlling access according to an embodiment of the present application;

fig. 2 is a schematic diagram of a conventional access authentication process according to an embodiment of the present application;

fig. 3 is a flowchart of a method for storing data to be processed in a corresponding CPU queue according to an embodiment of the present application;

fig. 4 is a flowchart of a method for determining a packet type to which data belongs according to an embodiment of the present application;

fig. 5 is a flowchart of a method for processing data according to a priority order of the data according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application;

fig. 7 is a structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.

The terms "including" and "having," and any variations thereof in the description and claims of this application and the above-described drawings, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.

In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.

Next, a method for controlling access provided in an embodiment of the present application is described in detail. Fig. 1 is a flowchart of a method for controlling access according to an embodiment of the present application, where the method includes:

s101: and acquiring a plurality of data to be processed transmitted by the external equipment.

The external equipment comprises a client and a server.

The client can perform access authentication to the server through the access device. The client and the access equipment interact based on an EAP protocol. The server and the access device interact based on the RADIUS protocol. In this embodiment, data interacted between the client and the access device may be referred to as an identity authentication (EAP) protocol packet, and data interacted between the server and the access device may be referred to as an authentication service (RADIUS) protocol packet.

The data to be processed transmitted from the external device to the access device may include data transmitted from the client to the access device and data transmitted from the server to the access device.

Fig. 2 is a schematic diagram of a conventional access authentication process according to an embodiment of the present application, where a client transmits an authentication request (EAPoL-Start) message to an access device. After receiving the authentication Request message, the access device sends an username information Request (EAPoL-Request/Identity) to the client, and requests the client to send the username. After receiving the user name information request, the client may feed back an EAPoL-Response/Identity (EAPoL-Response/Identity) message to the access device. After the Access device acquires the user name information response message, the Access device can package the user name into an Access Request (RADIUS Access-Request) and send the Access Request to the server. The server may perform Access authentication on the client based on the Access request, and in an Access authentication phase, the server may send an Access Challenge (RADIUS Access-Challenge) message to the Access device. After the access equipment acquires the access inquiry message, an MD5 inquiry password Request (EAPoL-Request/MD 5 Challenge) is sent to the client. After receiving the MD5 Challenge-password request, the client may feed back an MD5 Challenge-password Response (EAPoL-Response/MD 5 Challenge) message to the access device. After receiving the MD5 challenge password response message, the Access device may encapsulate the MD5 challenge password into an Access Request (RADIUS Access-Request), and send the Access Request to the server. The server authenticates the client based on the MD5 challenge password carried in the Access request, feeds back an Access acceptance (RADIUS Access-Accept) message to the Access equipment after the authentication is passed, and the Access equipment receives the Access acceptance message and can send an EAP-Success response message to the client.

S102: and determining the priority of each data to be processed according to the protocol type and the message type of each data to be processed.

In the embodiment of the application, in order to exert the processing capability of the access device on the authentication message to the maximum extent, a priority mechanism can be set to ensure that the message closest to the completion of the authentication is preferentially processed, so that the client initiating the authentication preferentially completes the authentication preferentially, the number of the authenticated clients is reduced, the probability of packet loss is reduced, and the authentication efficiency is improved.

In a specific implementation, the priority may be set based on the protocol type, the packet type, and the proximity to complete authentication. The protocol type may include an authentication service protocol and an authentication protocol, among others.

Based on different implementation functions, the message types of the messages under each protocol type can be divided. The corresponding message types under the authentication service protocol may include an access challenge and an access accept. The corresponding message types under the identity authentication protocol can comprise an authentication request, a user name information response and an MD5 challenge password response.

The higher the proximity to completion of authentication, the higher the priority can be set. In the embodiment of the present application, priorities may be set for the protocol type and the packet type, respectively. Taking the protocol type as an example, the priority of the authentication service protocol may be set higher than the priority of the authentication protocol.

Taking the message type as an example, it can be known by combining the schematic diagram of the access authentication process shown in fig. 2, and the protocol types are access acceptance, MD5 challenge password response, access challenge, user name information response and authentication request in sequence according to the order from high to low of the proximity degree of completing authentication.

In the embodiment of the present application, the priorities corresponding to different protocol types and the priorities corresponding to different message types may be preset. After the data to be processed is obtained, the priority of each data to be processed can be determined according to the protocol type and the message type to which each data to be processed belongs.

S103: and sequentially processing the data to be processed according to the priority sequence of the data to be processed so as to finish the access authentication of the server to the client.

The number of the data to be processed is often large, and after the priority of each data to be processed is determined, the data to be processed can be sequentially processed according to the priority order, so that the access authentication of the server to the client is completed.

For example, assuming that the current data to be processed includes a message a with a protocol type of MD5 challenge password response and a message B with a protocol type of username information response, according to the priority order, the access device processes the message a first and then processes the message B.

According to the technical scheme, a plurality of data to be processed transmitted by external equipment are obtained; the external device comprises a client and a server. Determining the priority of each data to be processed according to the protocol type and the message type of each data to be processed; the priority is set based on the protocol type, the message type and the proximity degree of completing authentication. And sequentially processing the data to be processed according to the priority sequence of the data to be processed so as to finish the access authentication of the server to the client. In the technical scheme, based on the protocol type and the message type of the data to be processed, the proximity degree between the data to be processed and the authentication can be determined, and the higher the proximity degree is, the higher the priority can be set, so that the client authenticated first can complete the authentication as soon as possible, the number of clients authenticated at the same time is reduced, the continuity and timeliness of the authentication process of the client are ensured, the authentication efficiency of the access equipment is improved, and the processing capacity of the access equipment on the authentication message is exerted to the maximum extent.

In the embodiment of the application, different CPU queues can be set for different protocol types, and different protocol distribution queues can be set for different packet types.

In a specific implementation, the data to be processed can be sent to a corresponding CPU queue according to the protocol type to which the data to be processed belongs; and analyzing the data to be processed recorded in each CPU queue in sequence according to the priority sequence of each CPU queue to determine the message type of the data to be processed in each CPU queue, so that the data to be processed is sent to the protocol distribution queue matched with the message type of the data to be processed. And setting different priorities for each protocol distribution queue according to the proximity degree of each message type and the completed authentication.

Fig. 3 is a flowchart of a method for storing data to be processed in a corresponding CPU queue according to an embodiment of the present application, where the method includes:

s301: and judging whether the data to be processed belongs to the authentication service protocol message.

In an embodiment of the present application, the protocol types may include an authentication service protocol and an authentication protocol. For the sake of distinction, the CPU queue corresponding to the authentication service protocol may be referred to as a first CPU queue, and the CPU queue corresponding to the authentication service protocol may be referred to as a second CPU queue. The priority of the first CPU queue is higher than that of the second CPU queue, that is, the access device processes the data in the first CPU queue first and then processes the data in the second CPU queue.

Therefore, when the data to be processed is sent to the corresponding CPU queue, it can be determined whether the data to be processed belongs to the authentication service protocol packet.

The data structures of the authentication service protocol message and the identity verification protocol message are different. The frame structure of the conventional authentication protocol includes a code (code), an identifier (identifier), a length (length), and data (data); wherein the data includes type (type) and type data (type data). A frame structure of a conventional authentication service protocol includes a code (code), an identifier (identifier), a length (length), an authentication word (authenticator), and an attribute (attribute). Based on the difference of the data structure, whether the data to be processed belongs to the authentication service protocol message or the identity verification protocol message can be distinguished.

If the data to be processed belongs to the authentication service protocol packet, it indicates that the data to be processed belongs to the data with higher priority, and at this time, S302 may be executed.

In the case that the data to be processed does not belong to the authentication service protocol packet, the protocol type to which the data to be processed belongs may be further determined, and at this time, S303 may be performed.

S302: and sending the data to be processed to a first CPU queue.

The authentication service protocol corresponds to the first CPU queue, and when the data to be processed belongs to the authentication service protocol message, the data to be processed can be directly sent to the first CPU queue.

S303: and judging whether the data to be processed belongs to the identity authentication protocol message.

Based on the data structure of the data to be processed, whether the data to be processed belongs to the authentication protocol message or not can be identified.

If the data to be processed belongs to the authentication protocol packet, it indicates that the data to be processed belongs to the data with a lower priority, and then S304 may be executed.

S304: and sending the data to be processed to a second CPU queue.

The identity authentication protocol corresponds to the second CPU queue, and when the data to be processed belongs to the identity authentication protocol message, the data to be processed can be directly sent to the second CPU queue.

In the embodiment of the application, the corresponding CPU queues are set for the messages of different protocol types, and the priority of each CPU queue is set, so that the messages of different protocol types can be orderly processed according to the priority sequence.

In consideration of practical application, the storage space of the first CPU queue is limited. In the embodiment of the present application, under the condition that the data to be processed belongs to the authentication service protocol packet, before sending the data to be processed to the first CPU queue, it may be determined whether the remaining storage space of the first CPU queue meets the storage requirement of the data to be processed.

In a specific implementation, the determining whether the remaining storage space of the first CPU queue meets the storage requirement of the data to be processed may be comparing whether the remaining storage space of the first CPU queue is greater than or equal to the storage space required by the data to be processed.

And under the condition that the remaining storage space of the first CPU queue meets the storage requirement of the data to be processed, executing the step of sending the data to be processed to the first CPU queue.

When the remaining storage space of the first CPU queue does not satisfy the storage requirement of the data to be processed, a new first CPU queue having the same priority as the first CPU queue may be allocated to the data to be processed, and the data to be processed may be sent to the new first CPU queue.

Similarly, there may be insufficient memory for the second CPU queue. Under the condition that the data to be processed belongs to the identity authentication protocol message, before the data to be processed is sent to the second CPU queue, whether the remaining storage space of the second CPU queue meets the storage requirement of the data to be processed may be determined.

And under the condition that the remaining storage space of the second CPU queue meets the storage requirement of the data to be processed, the step of sending the data to be processed to the second CPU queue is executed.

And under the condition that the remaining storage space of the second CPU queue does not meet the storage requirement of the data to be processed, allocating a new second CPU queue with the priority equal to that of the second CPU queue to the data to be processed, and sending the data to be processed to the new second CPU queue.

When the storage space of the first CPU queue is insufficient, that is, the remaining storage space of the first CPU queue cannot store the to-be-processed data, it indicates that the data volume of the to-be-processed data currently accessed by the access device is already high, and in order to avoid data congestion, the access device may, after allocating a new first CPU queue having the same priority as that of the first CPU queue to the to-be-processed data, feed back, to the target client that transmits the to-be-processed data, first prompt information that suspends new data transmission.

The priority of the first CPU queue is higher than that of the second CPU queue, and the access device processes the data in the first CPU queue first, so when the storage space of the second CPU queue is insufficient, the prompt message with the level lower than that of the first CPU queue can be set.

In a specific implementation, after allocating a new second CPU queue having the same priority as the second CPU queue to the data to be processed, the access device may feed back, to the target client that transmits the data to be processed, second prompt information that slows down transmission of new data.

By detecting the remaining storage space of the first CPU queue and the second CPU queue, a new CPU queue can be timely allocated when the storage space is insufficient, so that the timely storage of the data to be processed is ensured, and the condition of data packet loss is avoided. And by feeding back the prompt information to the client, the data volume of the data to be processed transmitted from the client to the access device can be reduced, and the occurrence of data congestion can be effectively reduced.

In practical application, there may be a situation that the data to be processed does not belong to the authentication service protocol message, nor does it belong to the identity verification protocol message. The embodiment of the application is directed to an access verification scene of a client, and when data to be processed does not belong to an authentication service protocol message and does not belong to an identity verification protocol message, the data to be processed is not data related to the access verification scene, so that the data to be processed can be directly discarded under the condition that the data to be processed does not belong to the authentication service protocol message and the identity verification protocol message.

Fig. 4 is a flowchart of a method for determining a packet type to which data belongs according to an embodiment of the present application, where the method includes:

s401: and judging whether the authentication service protocol message is recorded in the first CPU queue.

The first CPU queue corresponds to an authentication service protocol, and for convenience of description, data recorded in the first CPU queue may be referred to as an authentication service protocol packet.

The priority of the first CPU queue is higher than that of the second CPU queue, so that when the message type of the data is determined, whether an authentication service protocol message is recorded in the first CPU queue or not is judged. If the authentication service protocol packet is recorded in the first CPU queue, the authentication service protocol packet recorded in the first CPU queue is processed, that is, S402 is executed.

S402: and analyzing a code field of the authentication service protocol message to determine a first message type of the authentication service protocol message.

For convenience of distinguishing, in the embodiment of the present application, a packet type to which an authentication service protocol packet belongs in a first CPU queue may be referred to as a first packet type; and calling the message type of the authentication protocol message in the second CPU queue as a second message type.

The first message type may include an access challenge and an access accept.

For the authentication service protocol message, the message type of the message can be identified based on the code field of the message.

S403: and judging whether the second CPU queue records the authentication protocol message or not.

Under the condition that the authentication service protocol message is not recorded in the first CPU queue or the first message type of the authentication service protocol message is determined, whether the authentication service protocol message is recorded in the second CPU queue or not can be judged.

If the authentication protocol packet is recorded in the second CPU queue, the authentication protocol packet recorded in the second CPU queue is processed, that is, S404 is executed.

S404: and analyzing the code field and the type field of the authentication protocol message to determine the second message type of the authentication protocol message.

For the authentication protocol message, the message type of the message can be identified based on the code field and the type field of the message.

The second message type comprises an MD5 inquiry password response, a user name information response and an authentication request.

In the embodiment of the application, corresponding protocol distribution queues can be set for messages of different message types, and the protocol distribution queues can include a first protocol distribution queue matched with an authentication request, a second protocol distribution queue matched with a user name information response, a third protocol distribution queue matched with an access acceptance, a fourth protocol distribution queue matched with an MD5 challenge password response, and a fifth protocol distribution queue matched with an access challenge; the priority levels of the first protocol distribution queue, the second protocol distribution queue, the third protocol distribution queue, the fourth protocol distribution queue and the fifth protocol distribution queue are sequentially increased.

After the message type is determined, an authentication request message with the message type as an authentication request can be sent to a first protocol distribution queue; sending a user name information response message with the message type of user name information response to a second protocol distribution queue; sending the access inquiry message of which the message type is the access inquiry to a third protocol distribution queue; sending the MD5 challenge password response message with the message type of MD5 challenge password response to a fourth protocol distribution queue; and sending the access acceptance message with the message type of the access acceptance to a fifth protocol distribution queue.

In the embodiment of the application, the corresponding protocol distribution queues are set for the messages of different message types, and the priority of each protocol distribution queue is set, so that the messages of different message types can be orderly processed according to the priority sequence.

Fig. 5 is a flowchart of a method for processing data according to a priority order of the data according to an embodiment of the present application, where the method includes:

s501: and judging whether an access acceptance message is received.

As can be seen from the description of fig. 4, the priorities of the first protocol distribution queue to the fifth protocol distribution queue are sequentially increased, and the access accept packet is recorded in the fifth protocol distribution queue, so that when data processing is performed, it may be determined whether the access accept packet is received first. In a specific implementation, it may be queried whether an access accept packet exists in the fifth protocol distribution queue.

Executing S502 under the condition of receiving the access acceptance message; if the access accept message is not received, S503 is executed.

S502: and sending a response message passing the access authentication to the corresponding target client.

When receiving the access acceptance message, it indicates that the server has completed authentication on the client, and at this time, the access device may send a response message that the access authentication passes to the client.

S503: and judging whether an MD5 challenge password response message is received.

Under the condition that the access acceptance message is not received, whether the MD5 challenge password response message is received or not can be further judged, namely whether the MD5 challenge password response message is recorded in the fourth protocol distribution queue or not can be inquired.

In the case where the MD5 challenge password response message is received, S504 is performed.

In the case where the MD5 challenge password response message is not received, the data of the next priority may be processed, i.e., S505 is performed.

S504: and packaging the MD5 challenge password response message into the access request, and sending the access request to the server.

When receiving the MD5 challenge password response message fed back by the client, the access device may encapsulate the MD5 challenge password response message into the access request, and send the access request to the server, so that the server performs authentication processing.

S505: and judging whether the access inquiry message is received.

When the access device does not receive the MD5 challenge code response message, it can further determine whether the access challenge message is received.

In case of receiving the access challenge message, S506 is performed.

In case that the access challenge packet is not received, the data of the next priority may be processed, i.e., S507 is executed.

S506: and sending an MD5 challenge password request to the corresponding client.

When receiving the access inquiry message fed back by the server, the access device can send an MD5 inquiry password request to the client.

S507: and judging whether a user name information response message is received or not.

If the user name information response message is received, S508 is executed.

If the user name information response message is not received, the data of the next priority may be processed, i.e., S509 is executed.

S508: and encapsulating the user name information response message to the initial access request, and sending the initial access request to the server.

And the access equipment sends an access request to the server when receiving the MD5 challenge password response message fed back by the client. When receiving the user name information response message sent by the client, the access device also sends an access request to the server. For the convenience of distinction, the access request obtained by the username information response packet encapsulation may be referred to as an initial access request.

S509: and judging whether the authentication request message is received.

The access device may feed back a username information request for acquiring username information to the client when receiving the authentication request message sent by the client, that is, perform S510.

S510: and sending a user name information request to the corresponding client.

In the embodiment of the application, the data recorded in the protocol distribution queues are sequentially processed based on the priorities of the different protocol distribution queues, so that the client which preferentially initiates authentication can be preferentially processed. And unprocessed messages are stored through the protocol distribution queue, so that data omission or loss caused by a large number of access authentication clients is avoided.

In the embodiment of the present application, in order to implement fast and orderly processing of messages of different protocol types, a first access control list, a second access control list, and a third access control list may be configured in advance; the third access control list is used for matching the authentication service protocol message, the second access control list is used for matching the identity verification protocol message, and the first access control list is used for matching traffic data except the authentication service protocol message and the identity verification protocol message.

In practical application, the chip may be configured to configure a low priority ACL (Access Control List ) entry Type1, match all traffic, and set the action to discard. Configuring a high-priority ACL table item Type2, matching EAP messages, and uploading to a CPU low-priority queue, namely a second CPU queue. Configuring a high-priority ACL table item Type3, matching a RADIUS message, and uploading the matched RADIUS message to a CPU high-priority queue, namely a first CPU queue.

For the client that completes authentication, a fourth access control list may be configured, and the identification information of the target client is recorded through the fourth access control list.

Correspondingly, under the condition that the data to be processed does not belong to the authentication service protocol message and the authentication protocol message, whether the client identification information corresponding to the data to be processed is matched with the identification information recorded in the fourth access control list or not can be judged.

And under the condition that the client identification information corresponding to the data to be processed is matched with the identification information recorded in the fourth access control list, the client is proved to pass the authentication, and the data to be processed can be directly released.

In order to track released data to be processed, the access device may record identification information of the data to be processed and a client transmitting the data to be processed, and release time.

By recording the identification information and the release time of the client transmitting the data to be processed, the source of the data to be processed can be tracked under the condition that the subsequent data to be processed has problems, so that the problems can be positioned more quickly.

In a case that the client identification information corresponding to the data to be processed does not match the identification information recorded in the fourth access control list, the data to be processed may be discarded.

The target client refers to a client which is authenticated by the server.

In this embodiment, a port and a source physical address (MAC) of the target client may be used as the identification information of the target client.

In the embodiment of the application, a processing flow of client access can be divided into three modules, namely a driving packet receiving module, a message scheduling module and an authentication processing module. The driving packet receiving module is used for acquiring a plurality of pieces of data to be processed transmitted by external equipment; the message scheduling module is used for determining the priority of each data to be processed according to the protocol type and the message type of each data to be processed; the authentication processing module is used for sequentially processing the data to be processed according to the priority order of the data to be processed so as to finish the access authentication of the server to the client.

In consideration of the fact that in practical application, the number of clients connected to the access device is often large, and in order to ensure that the access device can preferentially process the message closest to completing authentication, different priorities can be set for the driving packet receiving module, the message scheduling module and the authentication processing module, wherein the priority of the authentication processing module is the highest, and the priority of the driving packet receiving module is the lowest in the priority of the message scheduling module.

The authentication processing module processes the data with the determined priority. The message scheduling module processes the data which is transmitted by the external equipment. For the sake of convenience of distinction, data for which priority has been determined may be referred to as first data, and data for which an external device has transmitted may be referred to as second data.

In a specific implementation, it may be determined whether there is first data for which a priority has been determined. The first data may be plural in number, each first data having its corresponding priority. When the first data with the determined priority exists, the first data can be sequentially processed according to the priority order of the first data, so as to complete the access authentication of the server to the client corresponding to the first data.

And under the condition that the first data with the determined priority does not exist, further judging whether second data transmitted by the external equipment is acquired.

Under the condition that the second data transmitted by the external device is acquired, the priority of the second data can be determined according to the protocol type and the message type of the second data. And waiting for the data to be processed transmitted by the external equipment when the second data transmitted by the external equipment is not acquired.

In the embodiment of the application, the processing flow of the client access is divided into different modules, different priorities are set for the different modules, and the subsequent authentication processing flow is preferentially performed on the client which is closest to finish authentication based on the progress of authentication processing of different clients under the condition that a large number of clients are on line, so that the authentication of the client which preferentially initiates the authentication is preferentially finished quickly, the number of clients which need to be authenticated at the same time is reduced, and the probability of packet loss is reduced.

Fig. 6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application, including an obtaining unit 61, a determining unit 62, and an authenticating unit 63;

an acquisition unit 61 configured to acquire a plurality of pieces of data to be processed transmitted from an external device; the external equipment comprises a client and a server;

a determining unit 62, configured to determine a priority of each piece of data to be processed according to a protocol type and a message type to which each piece of data to be processed belongs; the priority is set based on the protocol type, the message type and the proximity degree of completing authentication;

and the authentication unit 63 is configured to sequentially process each piece of data to be processed according to the priority order of each piece of data to be processed, so as to complete access authentication of the server to the client.

Optionally, the determining unit includes a first sending subunit, a parsing subunit, and a second sending subunit;

the first sending subunit is used for sending the data to be processed to the corresponding CPU queue according to the protocol type to which the data to be processed belongs;

the analysis subunit is used for sequentially analyzing the data to be processed recorded in each CPU queue according to the priority order of each CPU queue so as to determine the message type of each data to be processed in each CPU queue;

the second sending subunit is used for sending the data to be processed to the protocol distribution queue matched with the message type of the data to be processed; and setting different priorities for each protocol distribution queue according to the proximity degree of each message type and the completed authentication.

under the condition that the data to be processed belongs to the authentication service protocol message, sending the data to be processed to a first CPU queue;

under the condition that the data to be processed belong to the identity authentication protocol message, sending the data to be processed to a second CPU queue; and the priority of the first CPU queue is higher than that of the second CPU queue.

Optionally, a discarding unit is further included;

and the discarding unit is used for discarding the data to be processed under the condition that the data to be processed does not belong to the authentication service protocol message and the identity verification protocol message.

under the condition that an authentication service protocol message is recorded in the first CPU queue, analyzing a code field of the authentication service protocol message to determine a first message type of the authentication service protocol message; the first message type comprises an access inquiry and an access acceptance;

under the condition that the authentication protocol message is recorded in the second CPU queue, analyzing a code field and a type field of the authentication protocol message to determine a second message type of the authentication protocol message; and the second message type comprises an MD5 inquiry password response, a user name information response and an authentication request.

Optionally, the protocol distribution queue matched with the message type includes a first protocol distribution queue matched with the authentication request, a second protocol distribution queue matched with the user name information response, a third protocol distribution queue matched with the access acceptance, a fourth protocol distribution queue matched with the MD5 challenge password response, and a fifth protocol distribution queue matched with the access challenge; the priority levels of the first protocol distribution queue, the second protocol distribution queue, the third protocol distribution queue, the fourth protocol distribution queue and the fifth protocol distribution queue are sequentially increased.

Optionally, the second sending subunit is configured to send the authentication request packet whose packet type is an authentication request to the first protocol distribution queue;

Optionally, the authentication unit includes a first determining subunit, a first sending subunit, a second determining subunit, a second sending subunit, a third determining subunit, a third sending subunit, a fourth determining subunit, a fourth sending subunit, a fifth determining subunit, and a fifth sending subunit;

the first judging subunit is used for judging whether an access acceptance message is received or not;

the first sending subunit is configured to send, to the corresponding target client, a response message that the access authentication is passed, when the access acceptance message is received;

the second judging subunit is used for judging whether an MD5 challenge password response message is received or not under the condition that the access acceptance message is not received;

the second sending subunit is used for packaging the MD5 challenge password response message into the access request and sending the access request to the server under the condition of receiving the MD5 challenge password response message;

a third judging subunit, configured to judge whether an access challenge message is received or not when the MD5 challenge password response message is not received;

the third sending subunit is configured to send an MD5 challenge password request to the corresponding client, when receiving the access challenge packet;

a fourth judging subunit, configured to judge whether a user name information response message is received or not when the access inquiry message is not received;

the fourth sending subunit is configured to, in the case that the username information response packet is received, encapsulate the username information response packet into the initial access request, and send the initial access request to the server;

a fifth judging subunit, configured to judge whether an authentication request message is received under the condition that the user name information response message is not received;

Optionally, a configuration unit is further included;

the configuration unit is used for configuring a first access control list, a second access control list and a third access control list in advance; the third access control list is used for matching the authentication service protocol message, the second access control list is used for matching the identity verification protocol message, and the first access control list is used for matching flow data except the authentication service protocol message and the identity verification protocol message.

Optionally, a recording unit is further included;

and the recording unit is used for recording the identification information of the target client through a fourth access control list after sending the response message passing the access authentication to the corresponding target client.

the identification judgment unit is used for judging whether the client identification information corresponding to the data to be processed is matched with the identification information recorded by the fourth access control list or not under the condition that the data to be processed does not belong to the authentication service protocol message and the identity verification protocol message;

the releasing unit is used for releasing the data to be processed under the condition that the client identification information corresponding to the data to be processed is matched with the identification information recorded by the fourth access control list;

and the discarding unit is used for discarding the data to be processed under the condition that the client identification information corresponding to the data to be processed is not matched with the identification information recorded by the fourth access control list.

Optionally, a data recording unit is further included;

and the data recording unit is used for recording the to-be-processed data, the identification information of the client side for transmitting the to-be-processed data and the release time after the to-be-processed data is released under the condition that the identification information of the client side corresponding to the to-be-processed data is matched with the identification information recorded by the fourth access control list.

the first space judgment unit is used for judging whether the residual storage space of the first CPU queue meets the storage requirement of the data to be processed or not under the condition that the data to be processed belongs to the authentication service protocol message; under the condition that the residual storage space of the first CPU queue meets the storage requirement of the data to be processed, triggering a first sending subunit to send the data to be processed to the first CPU queue;

the first allocation unit is used for allocating a new first CPU queue with the same priority as the first CPU queue to the data to be processed under the condition that the residual storage space of the first CPU queue does not meet the storage requirement of the data to be processed;

Optionally, the system further comprises a first prompting unit;

and the first prompting unit is used for feeding back first prompting information for suspending new data transmission to a target client terminal for transmitting the data to be processed.

the second space judgment unit is used for judging whether the residual storage space of the second CPU queue meets the storage requirement of the data to be processed or not under the condition that the data to be processed belongs to the authentication protocol message; under the condition that the residual storage space of the second CPU queue meets the storage requirement of the data to be processed, triggering the first sending subunit to send the data to be processed to the second CPU queue;

the second allocating unit is used for allocating a new second CPU queue with the same priority as the second CPU queue to the data to be processed under the condition that the residual storage space of the second CPU queue does not meet the storage requirement of the data to be processed;

Optionally, a second prompting unit is further included;

and the second prompting unit is used for feeding back second prompting information for slowing down the transmission of new data to the target client side transmitting the data to be processed.

a first data judgment unit configured to judge whether there is first data for which a priority has been determined;

the authentication unit is further configured to, in the presence of the first data of which the priority has been determined, sequentially process the first data according to the priority order of the first data to complete access authentication of the server to the client corresponding to the first data;

the determining unit is further configured to determine the priority of the second data according to the protocol type and the message type to which the second data belongs, when the second data transmitted by the external device is acquired.

The description of the features in the embodiment corresponding to fig. 6 may refer to the related descriptions in the embodiments corresponding to fig. 1, fig. 3 to fig. 5, and details are not repeated here.

According to the technical scheme, a plurality of pieces of data to be processed transmitted by the external equipment are obtained; the external equipment comprises a client and a server. Determining the priority of each data to be processed according to the protocol type and the message type of each data to be processed; the priority is set based on the protocol type, the message type and the proximity degree of completing authentication. And sequentially processing the data to be processed according to the priority sequence of the data to be processed so as to finish the access authentication of the server to the client. In the technical scheme, based on the protocol type and the message type of the data to be processed, the proximity degree of the data to be processed and the authentication completion can be determined, and the higher the proximity degree is, the higher the priority can be set, so that the authentication of the client side authenticated first can be completed as soon as possible, the number of the client sides authenticated at the same time is reduced, the continuity and timeliness of the authentication process of the client side are ensured, the authentication efficiency of the access equipment is improved, and the processing capacity of the access equipment on the authentication message is exerted to the maximum extent.

Fig. 7 is a structural diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 7, the electronic device includes: a memory 20 for storing a computer program;

a processor 21, configured to implement the steps of the access control method according to the above-mentioned embodiment when executing the computer program.

The electronic device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, or the like.

The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 21 may be implemented in at least one hardware form of DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), PLA (Programmable Logic Array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an AI (Artificial Intelligence) processor for processing a calculation operation related to machine learning.

Memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the following computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the access control method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, windows, unix, linux, and the like. Data 203 may include, but is not limited to, priorities set based on protocol type, message type, and proximity to complete authentication, etc.

In some embodiments, the electronic device may further include a display 22, an input/output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.

Those skilled in the art will appreciate that the configuration shown in fig. 7 does not constitute a limitation of the electronic device and may include more or fewer components than those shown.

It is to be understood that, if the access control method in the above embodiments is implemented in the form of a software functional unit and sold or used as a separate product, it may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be substantially or partially implemented in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods of the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), an electrically erasable programmable ROM, a register, a hard disk, a removable magnetic disk, a CD-ROM, a magnetic disk, or an optical disk.

Based on this, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for controlling access are implemented as described above.

The foregoing details an access control method, an access control device, an access control apparatus, and a computer-readable storage medium provided in the embodiments of the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The foregoing detailed description has provided a method, apparatus, device and computer-readable storage medium for controlling access provided by the present application. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, without departing from the principle of the present invention, it can make several improvements and modifications to the present application, and those improvements and modifications also fall into the protection scope of the claims of the present application.

Claims

1. A method for controlling access, comprising:

2. The method according to claim 1, wherein the determining the priority of each piece of data to be processed according to the protocol type and the packet type to which each piece of data to be processed belongs comprises:

analyzing the data to be processed recorded in each CPU queue in sequence according to the priority order of each CPU queue so as to determine the message type of each data to be processed in each CPU queue;

3. The method according to claim 2, wherein the sending the data to be processed to the corresponding CPU queue according to the protocol type to which the data to be processed belongs includes:

under the condition that the data to be processed belongs to the identity authentication protocol message, sending the data to be processed to a second CPU queue; and the priority of the first CPU queue is higher than that of the second CPU queue.

4. The method for controlling access according to claim 3, further comprising, after said determining whether the data to be processed belongs to an authentication service protocol packet:

5. The method according to claim 3, wherein the analyzing the to-be-processed data recorded in each of the CPU queues in sequence according to the priority order of each of the CPU queues to determine the packet type of each of the to-be-processed data in each of the CPU queues includes:

under the condition that an authentication protocol message is recorded in the second CPU queue, analyzing a code field and a type field of the authentication protocol message to determine a second message type of the authentication protocol message; and the second message type comprises an MD5 inquiry password response, a user name information response and an authentication request.

6. The access control method according to claim 5, wherein the protocol distribution queues matching the message type include a first protocol distribution queue matching the authentication request, a second protocol distribution queue matching the response of the user name information, a third protocol distribution queue matching the access acceptance, a fourth protocol distribution queue matching the response of the MD5 challenge password, and a fifth protocol distribution queue matching the access challenge; wherein the priorities of the first protocol distribution queue, the second protocol distribution queue, the third protocol distribution queue, the fourth protocol distribution queue and the fifth protocol distribution queue are sequentially increased.

7. The method according to claim 6, wherein the sending the data to be processed to the protocol distribution queue whose packet type is matched comprises:

8. The method for controlling access according to claim 7, wherein the sequentially processing the to-be-processed data according to the priority order of the to-be-processed data to complete the access authentication of the server to the client comprises:

judging whether an access acceptance message is received or not;

under the condition of receiving an MD5 challenge password response message, packaging the MD5 challenge password response message into an access request, and sending the access request to the server; under the condition that the MD5 inquiry password response message is not received, judging whether an access inquiry message is received or not;

under the condition of receiving the access inquiry message, sending an MD5 inquiry password request to the corresponding client;

9. The method for controlling access according to claim 1, further comprising, before said obtaining the plurality of data to be processed transmitted by the external device:

10. The method for controlling access according to claim 9, further comprising, after the sending the response message that the access authentication passes to the corresponding target client:

11. The method for controlling access according to claim 10, further comprising, after said determining whether the data to be processed belongs to an authentication service protocol packet:

12. The method according to claim 11, wherein when the client identification information corresponding to the to-be-processed data matches the identification information recorded in the fourth access control list, the method further comprises, after releasing the to-be-processed data:

13. The method for controlling access according to claim 3, further comprising, before said sending the data to be processed to the first CPU queue:

and under the condition that the remaining storage space of the first CPU queue does not meet the storage requirement of the data to be processed, distributing a new first CPU queue with the priority equal to that of the first CPU queue to the data to be processed, and sending the data to be processed to the new first CPU queue.

14. The method according to claim 13, further comprising, after said allocating a new first CPU queue having a priority equal to that of the first CPU queue to the data to be processed, the steps of:

15. The method according to claim 3, further comprising, before said sending the data to be processed to the second CPU queue:

16. The method according to claim 15, further comprising, after said allocating a new second CPU queue having a priority equal to that of the second CPU queue to the data to be processed, the steps of:

17. The method for controlling access according to any one of claims 1 to 16, further comprising, before the obtaining the plurality of data to be processed transmitted by the external device:

judging whether first data with the determined priority exists or not;

18. The access control device is characterized by comprising an acquisition unit, a determination unit and an authentication unit;

19. An electronic device, comprising:

a memory for storing a computer program;

a processor for executing the computer program to implement the steps of the method of controlling access according to any one of claims 1 to 17.

20. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the method for controlling access according to any one of claims 1 to 17.