CN101188603A - A method for access to the external network according to user's right - Google Patents
A method for access to the external network according to user's right Download PDFInfo
- Publication number
- CN101188603A CN101188603A CNA2006101457537A CN200610145753A CN101188603A CN 101188603 A CN101188603 A CN 101188603A CN A2006101457537 A CNA2006101457537 A CN A2006101457537A CN 200610145753 A CN200610145753 A CN 200610145753A CN 101188603 A CN101188603 A CN 101188603A
- Authority
- CN
- China
- Prior art keywords
- user
- gateway
- router
- network
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Abstract
The invention relates to a method for accessing an external network according to user authority. The invention utilizes a built-in user authority database and the gateway or the router of the management system thereof to connect an external network, and manages a local network. The method comprises steps that the WEB accesses the external network for the first time; an authority management interface is re-orientated; information of users is input; a terminal device IP address or an MAC address is concertedly bound with the corresponding authority according to verification; and the gateway or the router refuses or forwards the message outside according to the binding address, and the source IP address or the source MAC address of the message accessed by the WEB. The method utilizes, binds and combines a user authentication code and the IP/MAC address of the terminal message, adopts the WEB to re-orientate the use authority of managing network users, and can not be required to limit network user terminal environment and install any software and device, and only if the terminal is connected with the external network through the gateway or the router of the invention; the identification, the authentication and the management to the network users can be realized by using a simple Http protocol; therefore the cost is lower, and the operation is convenient.
Description
Technical field
The present invention relates to information security of computer network and use, be specifically related to a kind of method according to user right visit external network.
Background technology
Along with development of internet technology, the network user progressively increases, and network has become indispensable key factor in people's life, the work, and in our family, all there are various local area network (LAN)s in company, as company's network, home network etc.In these local area network (LAN)s, how to distinguish the different network users, and distribute corresponding authority according to the different network users, become an important content, as company's network, hope can be distinguished boss, the keeper, different users such as employee, and, distribute different authorities respectively to these users, and to the domestic consumer, can distinguish child, father and mother, multiple user such as guest.
To this problem, industry has adopted a solution at present, be exactly system and the gateway by terminal, the common cooperation of router or switch realizes user's identification and evaluation, but this method needs terminal equipment, comprise PC or access device, extra software or system itself are installed just support, install complicated, and the system to terminal is restricted, and autgmentability is not high simultaneously.
Summary of the invention
The technical issues that need to address of the present invention provide a kind of method according to user right visit external network, can distribute corresponding access rights according to the different network users, simultaneously extra software need not be installed or need terminal equipment itself support, to the system of terminal without limits, autgmentability height simultaneously.
Above-mentioned technical problem of the present invention solves like this, and a kind of method according to user right visit external network is provided, and utilizes the gateway of built-in user rights database and management system thereof or router to connect external network, management local area network (LAN), may further comprise the steps:
1.1) user is by local network terminal WEB visit external network first;
1.2) gateway or router will be somebody's turn to do the rights management interface of being redirected to gateway or router by way of the WEB visit;
1.3) user imports user's authentication information;
1.4) gateway or router bind this user's terminal device IP address or MAC Address according to the consistent comparison judged result of user authentication information in this information and the described user rights database and be included in corresponding authority in the described user rights database with it;
1.5) gateway or router are according to described binding and arrive its WEB visit message source IP address or source MAC refusal or outwards transmit this message.
According to method provided by the invention, this method also comprises:
2.1) from the super authority WEB visit of user's data message external network;
2.2) gateway or router will be somebody's turn to do the rights management interface of being redirected to gateway by way of the WEB visit;
2.3) user imports advanced level user's authentication information;
2.4) gateway or router upgrade this user's terminal device IP address or MAC Address according to the consistent comparison judged result of user authentication information in this advanced level user's authentication information and the described user rights database and be tied to the corresponding advanced level user authority that is included in the described user rights database;
2.5) gateway or router are according to described renewal binding and arrive its WEB visit message source IP address or source MAC refusal or outwards transmit this message.
According to authentication method provided by the invention, described step 1.5) or 2.5) comprising:
3.1) data message that derives from internal network arrives gateway or router;
3.2) gateway or router obtain the source IP address or the source MAC of this message;
3.3) search for its corresponding authority according to this source IP address or source MAC according to described binding, and according to its corresponding premission denay or outwards transmit this message.
According to method provided by the invention, comprise that also the user enters described rights management interface once more, initiatively nullify; Gateway or router are removed described binding.
According to method provided by the invention, comprise that also the user uses the time of network to expire, gateway or router are removed described binding; This time disposes when the user lands.
According to method provided by the invention, comprise that also the user does not visit external network for a long time after, gateway or router are automatically removed described binding, described can be 10-40 minute for a long time.
According to method provided by the invention, described user's authentication information comprises username and password.
According to method provided by the invention, described external network is the INTERNET network.
According to method provided by the invention, described user right includes, but are not limited to branch time, target URL address or target ip address and limits or allow visit.
According to method provided by the invention, described rights management interface comprises but is not limited in the interior accessible server of described gateway or router or local area network (LAN).
According to method provided by the invention, step 2.4) in checking inconsistent, then still according to former described binding refusal or outwards E-Packet.
According to method provided by the invention, whether first gateway or router judge user's WEB visit external network according to all bindings of WEB visit message source IP address or source MAC and record.
Method according to user right visit external network provided by the invention, utilize binding to identify the IP/MAC address of sign indicating number and terminal message in conjunction with the user, can be by the gateway or the router administration network user's network rights of using, need not limit the environment of isdn user terminal, also any software and equipment need not be installed on terminal equipment, as long as user's terminal connects external network by gateway or the router that user right system of the present invention and management system thereof are installed, simply utilize WEB to be redirected and just can realize the network user's identification, authentication and management, cost is lower and easy to use.
Description of drawings
Further the present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 is the method employed network architecture schematic diagram of the present invention according to user right visit external network.
Fig. 2 is gateway or the interior user authority management system framework schematic diagram of router among Fig. 1.
Fig. 3 is the network privilege management schematic flow sheet of the present invention according to the method correspondence of user right visit external network.
Embodiment
At first, the applied network system of the inventive method is described, structure as shown in Figure 1, whole system is by the user terminal 4 in the local area network (LAN) 1, gateway between local area network (LAN) 1 and INTERNER net 2 or routing device 2 that user rights database and management system thereof have been installed constitute.Wherein, user authority management system, inside structure as shown in Figure 2, this system comprises that user right identifies module 21, network control module 23, plan target module 22, monitoring filtering module 24, wherein:
(1) user right is identified module 21: be used to accept user's authority evaluation, the user can login with multiple mode, as Http, Ftp, Telnet, Upnp etc., this module identifies on the one hand whether the username and password that the user registers is correct, the IP address of analysis user registration simultaneously;
(2) network control module 23: this module is used for configuration and user-dependent tactful task, as the father of family strategy, child's strategy etc.;
(3) the plan target module 22, this module is used for the execution of management strategy, as receiving that when plan target the user identifies the message of module, after having obtained the binding relationship of a kind of user name and IP or MAC, the plan target module scans all and this user-dependent strategy one time, and with assigning a task the IP/MAC address in the update strategy task again;
(4) the monitoring filtering module 24, and this module is positioned at network layer, are used for according to IP or MAC message being filtered, and all messages will carry out analysis and judgement according to filtering policy.
The present invention has network user's rights management function except requiring gateway or routing device, and local area network terminal/internal network terminal is had no requirement.
Second step, be redirected to utilize http, promptly WEB is redirected, mode supervising the network rights of using be example, the preferred embodiments of the present invention is described, process comprises as shown in Figure 3:
301) administrative staff are configured on networking control module 23, as number of users, and grade, and the network legal power that this user can use is set, after configuration was finished, network control module 23 was delivered to this configuration information in the plan target module 22;
302) when certain user uses network first, need log on the user and identify on the module 21, and select to use the time of network, permanent visit, gateway restart visit in preceding visit, stipulated time.Like this, the user need not register in this setting-up time once more.The user identifies whether the username and password that module 21 identifies that on the one hand the user imports is correct, simultaneously the IP or the MAC Address of analysis user registration terminal;
303) user right is identified module 21 with this user, the binding relationship of IP or MAC, and the user uses the time limit of network to be issued to plan target module 22;
304) plan target module 22 is checked the task strategy relevant with this user name, and utilizes new IP or MAC Address to revise task strategy;
305) plan target module 22 is issued to monitoring filtering module 24 with amended task strategy;
306) user brings into use network, and monitoring module 24 carries out control and management according to new tactful task to user's message;
307) find the use of these messages when monitoring module 24 and surmounted user's authority, so send the Web redirection message to the terminal 4 of user's correspondence, the rights management interface that user's WEB visit is redirected to gateway 2;
308) if this user does not have advanced level user's authority, then have to stop this access to netwoks, if the user has advanced level user's authority, then the user imports advanced level user's authentication information, and sends to gateway device 2;
Whether 309) gateway device 2 is analyzed these user's authentication informations correct, if correct,, and the binding relationship of user profile and this IP or MAC Address sent in the plan target module 22 once more deserved IP or MAC Address with regard to Analysis and Identification information;
310) plan target module 22 is checked the task strategy relevant with this user name once more, and utilizes new IP or MAC Address to revise task strategy;
311) plan target module 22 is issued to monitoring filtering module 24 with amended task strategy once more;
312) as this user once more during accesses network, monitoring module 22 adopts new task strategy to filter, because the restriction strategy of advanced level user is less than rudimentary user, so the user can normally visit.
313) when using the time of network, the user expires, (configuration when this time registers to user monitoring module 22 the user) plan target is cancelled this user institute to deserved filtering policy, and limit this user's visit, during so next user capture, need repeat to go on foot 2 the work of gathering, the user also can active login user authority identify module 21, nullify the visit of oneself, thereby plan target module 22 is with the pairing filtering policy cancellation of user, and the visit of limited subscriber, also need repeating step 302 during user capture next time) work.
Claims (10)
1. the method according to user right visit external network is characterized in that, utilizes the gateway of built-in user rights database and management system thereof or router to connect external network, management local area network (LAN), may further comprise the steps:
1.1) user is by local network terminal WEB visit external network first;
1.2) gateway or router will be somebody's turn to do the rights management interface of being redirected to gateway or router by way of the WEB visit;
1.3) user imports user's authentication information;
1.4) gateway or router bind this user's terminal device IP address or MAC Address according to the consistent comparison judged result of user authentication information in this information and the described user rights database and be included in corresponding authority in the described user rights database with it;
1.5) gateway or router are according to described binding and arrive its WEB visit message source IP address or source MAC refusal or outwards transmit this message.
2. according to the described method of claim 1, it is characterized in that this method also comprises:
2.1) from the super authority WEB visit of user's data message external network;
2.2) gateway or router will be somebody's turn to do the rights management interface of being redirected to gateway by way of the WEB visit;
2.3) user imports advanced level user's authentication information;
2.4) gateway or router upgrade this user's terminal device IP address or MAC Address according to the consistent comparison judged result of user authentication information in this advanced level user's authentication information and the described user rights database and be tied to the corresponding advanced level user authority that is included in the described user rights database;
2.5) gateway or router are according to described renewal binding and arrive its WEB visit message source IP address or source MAC refusal or outwards transmit this message.
3. according to claim 1 or 2 described methods, it is characterized in that, comprise that also the user enters described rights management interface once more, initiatively nullify; Gateway or router are removed described binding.
4. according to claim 1 or 2 described methods, it is characterized in that comprise that also the user uses the time of network to expire, gateway or router are removed described binding.
5. according to claim 1 or 2 described methods, it is characterized in that, comprise that also the user does not visit external network for a long time after, gateway or router are removed described binding.
6. according to claim 1 or 2 described methods, it is characterized in that described user's authentication information comprises username and password.
7. according to claim 1 or 2 described methods, it is characterized in that described external network is the INTERNET network.
8. according to claim 1 or 2 described methods, it is characterized in that described user right comprises that branch time, target URL address or target ip address limit or allow visit.
9. according to the described method of claim 2, it is characterized in that step 2.4) in checking inconsistent, then still according to former described binding refusal or outwards E-Packet.
10. according to the described method of claim 1, it is characterized in that whether first gateway or router judge user's WEB visit external network according to all bindings of WEB visit message source IP address or source MAC and record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101457537A CN101188603A (en) | 2006-11-16 | 2006-11-16 | A method for access to the external network according to user's right |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101457537A CN101188603A (en) | 2006-11-16 | 2006-11-16 | A method for access to the external network according to user's right |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101188603A true CN101188603A (en) | 2008-05-28 |
Family
ID=39480792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101457537A Withdrawn CN101188603A (en) | 2006-11-16 | 2006-11-16 | A method for access to the external network according to user's right |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101188603A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101730087A (en) * | 2009-12-11 | 2010-06-09 | 中国联合网络通信集团有限公司 | Usim service access method and usim card |
| CN101877694A (en) * | 2009-04-30 | 2010-11-03 | 华为技术有限公司 | Method, device and system for authority control in radio channel switching |
| CN103581029A (en) * | 2012-08-03 | 2014-02-12 | 盛乐信息技术(上海)有限公司 | Router and method for opening navigation page automatically |
| CN103840939A (en) * | 2012-11-27 | 2014-06-04 | 镇江精英软件科技有限公司 | Method for reauthenticating special operation of information system through network card MAC address |
| CN103873488A (en) * | 2014-04-08 | 2014-06-18 | 北京极科极客科技有限公司 | Internet surfing control method based on router plug-in |
| CN104580252A (en) * | 2015-01-29 | 2015-04-29 | 小米科技有限责任公司 | Network access control method and device |
| CN104618346A (en) * | 2015-01-09 | 2015-05-13 | 厦门美图移动科技有限公司 | Route check-based WIFI (Wireless Fidelity) network connection method and system |
| CN105871749A (en) * | 2015-11-16 | 2016-08-17 | 乐视致新电子科技(天津)有限公司 | Network access control method and system based on router, and related device |
| CN106454829A (en) * | 2016-10-09 | 2017-02-22 | 杭州华三通信技术有限公司 | Authorized network access method and device |
| CN107547565A (en) * | 2017-09-28 | 2018-01-05 | 新华三技术有限公司 | A kind of network access verifying method and device |
-
2006
- 2006-11-16 CN CNA2006101457537A patent/CN101188603A/en not_active Withdrawn
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877694A (en) * | 2009-04-30 | 2010-11-03 | 华为技术有限公司 | Method, device and system for authority control in radio channel switching |
| CN101730087A (en) * | 2009-12-11 | 2010-06-09 | 中国联合网络通信集团有限公司 | Usim service access method and usim card |
| CN103581029A (en) * | 2012-08-03 | 2014-02-12 | 盛乐信息技术(上海)有限公司 | Router and method for opening navigation page automatically |
| CN103581029B (en) * | 2012-08-03 | 2018-05-29 | 上海果壳电子有限公司 | The method for automatically turning on the router of navigation page and automatically turning on navigation page |
| CN103840939A (en) * | 2012-11-27 | 2014-06-04 | 镇江精英软件科技有限公司 | Method for reauthenticating special operation of information system through network card MAC address |
| CN103873488A (en) * | 2014-04-08 | 2014-06-18 | 北京极科极客科技有限公司 | Internet surfing control method based on router plug-in |
| CN104618346A (en) * | 2015-01-09 | 2015-05-13 | 厦门美图移动科技有限公司 | Route check-based WIFI (Wireless Fidelity) network connection method and system |
| CN104618346B (en) * | 2015-01-09 | 2018-07-13 | 厦门美图移动科技有限公司 | A kind of WIFI network connection method and system based on routing check |
| CN104580252B (en) * | 2015-01-29 | 2018-03-20 | 小米科技有限责任公司 | Method for network access control and device |
| CN104580252A (en) * | 2015-01-29 | 2015-04-29 | 小米科技有限责任公司 | Network access control method and device |
| CN105871749A (en) * | 2015-11-16 | 2016-08-17 | 乐视致新电子科技(天津)有限公司 | Network access control method and system based on router, and related device |
| CN106454829A (en) * | 2016-10-09 | 2017-02-22 | 杭州华三通信技术有限公司 | Authorized network access method and device |
| CN107547565A (en) * | 2017-09-28 | 2018-01-05 | 新华三技术有限公司 | A kind of network access verifying method and device |
| CN107547565B (en) * | 2017-09-28 | 2020-08-14 | 新华三技术有限公司 | Network access authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101188603A (en) | A method for access to the external network according to user's right | |
| CN101188604A (en) | A right authentication method for network user | |
| CN104620632B (en) | Method and apparatus for asking the specific rights in relation to specific resources to obtain in a wireless communication system | |
| CN100464518C (en) | Green internet-accessing system based on concentrated management and dictributed control, and method therefor | |
| JP5701715B2 (en) | Energy management device, power management system and program | |
| CN102724189B (en) | A kind of method and device controlling user URL access | |
| CN105721426B (en) | Access authorization methods, server, target terminal equipment and the system of terminal device | |
| CN104796969A (en) | Network accessing method and system for equipment of internet of things on basis of recognition codes of internet of things | |
| CN106412896A (en) | Authorization management method and system of wireless router | |
| KR101517756B1 (en) | The development, test, and demonstration of automation solutions using web-based virtual computers and vpn tunneling | |
| CN103379109B (en) | Method and control device, the network equipment and the communications platform of the network equipment are set | |
| CN108259432A (en) | A kind of management method of API Calls, equipment and system | |
| US20080133719A1 (en) | System and method of changing a network designation in response to data received from a device | |
| TW201141126A (en) | Apparatus and methods for managing network resources | |
| CN103632415A (en) | Gate control system, controller, entrance machine equipment and communication platform | |
| CN101183968A (en) | Gateway equipment login and automatic configuration method | |
| CN103516514B (en) | The establishing method of account access rights and control device | |
| CN112994958B (en) | Network management system, method and device and electronic equipment | |
| CN105915396A (en) | Home network traffic recognition system and method | |
| CN111147527A (en) | Internet of things system and equipment authentication method, device, equipment and medium thereof | |
| CN110063065A (en) | System and method for user's authorization | |
| CN101184083A (en) | Green internet system and method thereof | |
| CN106161436A (en) | A kind of method preventing domain name system DNS from polluting and gateway | |
| CN103516674B (en) | Quickly and the method for network device online and control device | |
| CN101123559B (en) | A green network access service deployment system and authorized access method for this service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C04 | Withdrawal of patent application after publication (patent law 2001) | ||
| WW01 | Invention patent application withdrawn after publication |